The “unintentional uploads” have taken place since 2016.
Facebook « unintentionally » uploaded and stored email contact information belonging to roughly 1.5 million users over the course of three years.
The issue came to light after a security researcher notified the social media giant of a controversial verification system implemented for some users, in which they were asked to provide their email address credentials.
A practice woeful in itself and one that Facebook said that in hindsight was « not the best way » to go about verification, despite the company’s promise to stop asking for these details, the security ramifications, it seems, went even deeper than first reported.
According to Business Insider, some of the users attempting to sign up for the first time who were asked for their email credentials would also see a pop-up message which notified the individual that their email contacts were being « imported » for the purposes of building up social connections.
See also: Facebook bolsters bug bounty program with rewards for user token exposure
Asking for the key to an email account for verification purposes on a third-party domain is bad enough and is not recommended in the interests of security.
