Adding to the litany of data breaches and privacy violations already uncovered, Facebook has reportedly been asking some of its users to "confirm" their private email account passwords in order to "verify" their accounts – only to secretly use these passwords to steal users' contact lists.
Facebook users with overseas or non-mainstream email domains, such as GMX and Yandex, have apparently been the primary targets of this illicit phishing scheme, while users with email accounts at more well-known servers like Gmail have been having their accounts "verified" in secret, without a visible prompt asking them for their passwords.
"When users try to register with certain email providers, including Yandex and GMX, it asks to 'confirm your email address' by entering their password directly into Facebook," a report containing the detailed findings of a lengthy investigation by Business Insider reveals.
"Users of other email providers like Google's Gmail don't see the option, as it makes use of authorization tool OAuth – a common tool for securely verifying your identity without requiring you to input your password as Facebook is doing here," it adds further.
For more related news about Facebook's illegal privacy invasion schemes, be sure to check out Facebook.Fetch.news.
Once the news broke about this illicit scheme, Facebook was quick to deny any wrongdoing. A spokesman for the Silicon Valley-based social media giant insisted that the passwords harvested by Facebook "are not stored" on its servers. This same spokesman added that Facebook will now be "discontinuing the feature" – not because it was brought to light, of course, but because it apparently wasn't "the best way to go about this."
Commenting on the revelation that Facebook is once again stealing people's private information without permission, security research and expert Bennett Cyphers from the Electronic Frontier Foundation (EFF) declared that the whole scheme is "basically indistinguishable to a phishing attack," comparing Facebook to a basement-dwelling hacker, in so many words.
"This is bad on so many levels," Cyphers is quoted as saying. "It's an absurd overreach by Facebook and a sleazy attempt to trick people to upload data about their contacts to Facebook as the price of signing up. Even when you consent to uploading contact information to Facebook, you should never have to put in your email password to do it," he added, stating bluntly that Facebook's little scheme "goes against all conventional wisdom, basic decency, and common sense."
Former Facebook operations manager Sandy Parakilas left the company last year over these types of shenanigans, which would appear to be routine and even built in to Facebook's entire structure as a company. She describes Facebook's misuse of user data as "horrifying," adding that there are no checks or balances in place at Facebook to ensure that user data is properly protected.
"My concerns were that all of the data that left Facebook servers to developers could not be monitored by Facebook, so we had no idea what developers were doing with the data," Parakilas is quoted as saying.
"Once the data left Facebook servers there was not any control, and there was no insight into what was going on."
Sources for this article include: