The New York Attorney General’s office announced last week that it’s launched an investigation into Facebook’s harvesting of 1.5 million users’ email address books without their consent.
Earlier this month, a security researcher had noticed that Facebook was asking some new users for their email passwords when they signed up: what he called “a HORRIBLE idea from an #infosec point of view”…particularly from a company that’s mishandled the passwords we use in two-factor authentication (2FA) and which saved hundreds of millions of users’ passwords to disk in raw, unencrypted form. But Facebook wasn’t just asking for some new users’ email passwords, the company would go on to admit: it was also sucking up their contacts, popping up a message saying the platform was “importing” their contacts without asking for permission first, nor offering any way for users to cancel the process.
Facebook admitted it had “unintentionally uploaded” 1.5 million contact databases of new Facebook users since May 2016. But as noted in a press release issued on Thursday by the office of New York Attorney General Letitia James, the number of emails drawn into this filter feeder’s baleen is bound to be orders of magnitude higher, as in, hundreds of millions, given that the affected people could have hundreds, if not thousands, of contacts in their contact databases. While Facebook claims that 1.5 million contact databases were directly harvested by its email password verification process for new users, the total number of people whose information was improperly obtained may be hundreds of millions. Well, isn’t it just typical, AG James said. It’s just the latest demonstration of how Facebook “does not take seriously its role in protecting our personal information,” she was quoted as saying. She added…It is time Facebook is held accountable for how it handles consumers’ personal information.