Hand holding iPhone 6S with open Facebook app on screenVARIOUS

Another day, another Facebook privacy scandal.

According to the social media company, its engineers were trying to kill off an old registration function dating back to 2016, only to discover that it was still nabbing e-mail contacts — from as many as 1.5 million new users as they signed up.

The issue was first spotted on March 31 by a cybersecurity pro who goes by the Twitter moniker “e-sushi,” aka Mike Edward Moras, before the story broke Thursday.

Posting on Twitter, Moras expressed shock that Facebook was requesting e-mail passwords from any users during sign-ups. (Password requests are a major red flag for security experts, who consider them signs of a potential scam.)


Facebook regularly used this verification feature prior to May 2016, but later redesigned it to make giving e-mail passwords optional. The information fed into other areas, like the platform’s advertising targeting and “people you may know” feature.

Now the company itself finally seemed to realize that this practice should end. As a spokesman told WWD, Facebook intended to shut it down in March, but didn’t realize then that the functionality wasn’t fully killed.

Here’s the full statement:

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

This would be a major misstep for any major tech company. That it came from Facebook, which has been heavily scrutinized for its privacy and security practices, looks even worse.

Applying some basic math makes the potential scope of this gaffe loom large, since with e-mail passwords comes the ability to harvest e-mail contacts. The contacts of some 1.5 million users could easily amount to a hundred million, even hundreds of millions, of people.

The other issue is that once the e-mail password has been entered, the contacts reportedly began importing without asking for the user’s permission. Europe enacted a stringent privacy regulation, known as General Data Protection Regulation or GDPR, to combat this kind of thing; and California — Facebook’s home turf — passed its own version in 2018.

Part of the catalyst for the legislation was Facebook’s own Cambridge Analytica scandal, in which a third-party firm received unauthorized access to user data to target people during the 2016 presidential election.

Another consideration is the timing.

Chief executive officer Mark Zuckerberg has repeatedly pledged more transparency — a promise that some critics view with a healthy does of skepticism. Last month, Facebook revealed that it stored hundreds of millions of users’ account passwords in plain text, prompting a collective groan from the data security community. This time, the public found out about the e-mail password verification gaffe from the media, not the tech giant.

What the company got right was patching the problem quickly, as well as stating that it would notify affected users and delete the data. The last part, about reviewing the contacts shared with Facebook, may be the most important part. It’s always a good idea for tech users to review the data they share with companies, as a general rule. And never, ever share personal e-mail passwords with companies.