Facebook has a long, long record of privacy fails and data scandals, but even by its standards the latest one is a jaw-dropper: the platform has revealed up to 1.5 million Facebook users might have had their email contacts unknowingly uploaded to the site.
The process was unintentional – according to Facebook – and happened when users were prompted for their password as part of a security verification process. It's been going on since May 2016 but Facebook says its now deleting all the scraped data.
On top of that, the shoddy password storage techniques used by Facebook that we reported on last month have in fact affected millions of Instagram users – not the "tens of thousands" that Facebook initially said.
- Facebook cracks down on livestreams
- Privacy scandals are dogging Facebook
- Facebook is making a voice assistant
In this case passwords were being stored in plain text, easily visible by Facebook engineers and developers. The passwords weren't leaked outside of Facebook, but the practice should still ring alarm bells – and again, Facebook has promised to fix it.
Keep up at the back
In summary, the plain text password fail of last month affected more Instagram users than we thought, and Facebook has also been uploading our contact lists without permission.
Still, Facebook promises to do better in the future, so there's that to hold on to. And a dark mode feature is rolling out in Facebook Messenger to distract you from all the ways that your data is being improperly handled.
At this point it seems Facebook is lurching from one scandal or gaffe to the next, without any real sign of permanently changing its ways. Meanwhile users are switching to other services – though admittedly many of them are also owned by Facebook.
Facebook boss Mark Zuckerberg seems keenly aware that the social media landscape is changing, and has said the platform will move towards more private sharing in the future. Let's hope our data stays private too.
Via Ars Technica