the zucc

Facebook Stored Millions of Instagram Passwords Insecurely and Secretly Scraped User Email Accounts

Photo: Justin Sullivan/Getty Images

A little over a year ago, a penitent Mark Zuckerberg embarked on another one of his lengthy apology tours for one of the many privacy screwups that his company seems to commit on a daily basis. “We have a responsibility to protect your data, and if we can’t, then we don’t deserve to serve you,” he said. He’s said this numerous times. It’s a cute line.

Anyway, Mark Zuckerberg doesn’t deserve to serve you. Yesterday, while much of the news media was speed-reading the Mueller report, Facebook made some more disclosures about how bad they are about protecting your privacy.

Remember last month, when Facebook disclosed that it had stored millions of user passwords in plaintext accessible to company employees for years? At the time, the company also said tens of thousands of Instagram users were also swept up in it. Yesterday, Facebook quietly updated that month-old announcement to include this addendum:

Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.

I am but a humble blogger and not a mathematician, but there’s a pretty big difference between tens of thousands and “millions.” One of the numbers is longer, and according to my studies, a longer number often means a bigger number. “Our investigation has determined that these stored passwords were not internally abused or improperly accessed,” Facebook said. Granted, there’s plenty of evidence that Facebook is just bad at investigating.

But wait! There’s more! Last month, security researcher e-sushi discovered that Facebook was asking for users’ email-account passwords in order to verify their identity. This is a practice that is universally disapproved of — never, ever, ever give a third party your password. Responsible services aren’t supposed to ask for your log-in credentials to any site; it’s why help hotlines usually remind callers not to give out passwords. (Just to be clear: When you log-in into a website through Facebook or Google, for example, you are actually just logging in to Facebook or Google and then they securely hand you back to the original website. That’s different.)

Facebook quickly admitted that this method of verifying someone’s identity was stupid as hell (my words) and said it would stop the practice … but not before harvesting the email contacts of 1.5 million people without warning. Since May 2016, Facebook had been scraping user contacts from their email accounts, according to Business Insider, which wrote:

At the time, it wasn’t clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.

Facebook says it is now deleting the data, a claim that is effectively worthless. For instance, consider the Clear History tool that Facebook announced last year and which still is not available to users — partly because it was conceived of quickly as a shield against bad PR, but also because letting people disentangle certain information from Facebook is a difficult if not impossible task. The data that Facebook took from 1.5 million users has already been fed into its system, analyzed, used to build ad profiles and social connections. The company has already extracted value from the original data set. Deleting it does nothing to help the affected users.

Facebook Is Not Good at Protecting Your Privacy