Facebook admitted last month that it has been storing passwords for Facebook, Facebook Lite and Instagram users in plaintext since 2012. While the unencrypted passwords were not accessed by a malicious actor, about 2,000 Facebook engineers and developers had the ability to view these users’ login credentials. Facebooks initial estimates stated that “hundreds of millions” of Facebook users and “thousands” of Instagram users were affected. However, Facebook waited until the Mueller report dropped yesterday to announce that “millions” of Instagram passwords were exposed in its password-related security incident last month, instead of the initial estimate of “tens of thousands.”
Facebook has also announced this week that it has harvested the email contact lists for 1.5 million of its users by asking for the email passwords for existing users’ accounts in 2016.
Social Media Reaction:
Beyond the security sin of asking 1.5 million people to reveal the passwords to their email accounts, Facebook then used those credentials to secretly suck up all their email contacts: https://t.co/6jW8ltPvfo
— Kashmir Hill (@kashhill) April 18, 2019
"A security researcher recently noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts."
Obviously an evil move by Facebook, but how stupid do you have to be to do that.
— Michael Krieger (@LibertyBlitz) April 18, 2019
Story only gets worse: Two weeks ago, @Facebook was demanding users enter their email passwords. Now it appears FB was actually copying those users’ entire contact lists. In #SBBlogwatch at @securityblvd, @RICHI loses count of all the Facebook scandals: https://t.co/aMV0duHK1v
— Richi Jennings @[email protected] / @richi.bsky.social (@RiCHi) April 18, 2019
Experts Comments:
Ben Goodman, VP of Global Strategy and Innovation at ForgeRock:
“Facebook has been in the spotlight for several negative incidents recently. Last month the company announced it was storing hundreds of millions of users’ account passwords in plaintext, and now Facebook admitted that it uploaded 1.5 million email contacts without users’ consent. Even worse, Facebook revealed its March security incident affected millions of Instagram users instead of the initial estimate of ‘tens of thousands.’
Despite the arguably poor security hygiene and the collection of users’ email contacts without their consent, the company has stated that no passwords were exposed externally and that it has no evidence of any of this information being abused to date. If any of the passwords and other login credentials were to have been exposed, malicious actors could have taken over more than a user’s Facebook or Instagram accounts. People tend to reuse passwords across multiple accounts, meaning that if one set of login credentials are exposed, the individual can become highly susceptible to accounts with much more sensitive information being hijacked such as banking, healthcare and even government portals. Social media accounts are also a treasure trove of personal data that if compromised can be used for social engineering, synthetic identity creation and account take overs.
Facebook and Instagram users should strongly consider changing their passwords to something strong and unique that they do not use on other accounts, as well as enabling multi-factor authentication (MFA). MFA will prompt users to verify their identities incase an account’s credentials do happen to become compromised. Other companies should also strongly consider the use of MFA and behavioral analytics solutions which can the detect and prevent the use of these compromised credentials and data against them.”
Pravin Kothari, CEO at CipherCloud:
“The Facebook privacy breach is more common than you think. There are a number of apps and websites that ask for and get your email address, LinkedIn, Twitter or Facebook account information and then use this permission to harvest your contacts. In some cases, these apps can be malicious and, once in, can start sending phishing emails to all of those contacts, but it appears that it’s coming from you, a bank or a cloud service provider, etc. Hackers can steal credentials via phishing, and those of your contacts, and use this access to take over your cloud accounts, bank accounts, and more.
Individuals and organizations should take the following steps to better protect the privacy of their data: use common sense on the application and they data they ask for before granting access to your information. Delink your connection to applications you are uncertain about. Be careful about clicking on links to Phishing emails – often disguised as emails from your Bank or Credit card site. Call the number of your card or launch the site on a new browser if you’re not sure. Encrypt your personal data in the cloud and keep your encryption keys with you. Never store your keys and data in the same cloud. Use your rights management with shared documents so no one else can access them.”
Sam Curry, Chief Security Officer at Cybereason:
“Facebook Privacy is an oxymoron and the gift that keeps on giving. In the wake of reports that Facebook uploaded contacts of more than 1 million users, and the face-palm of flat files containing users passwords in cleartext, we now have Facebook user-related information seeping into everything. Data in general is much like water in how it flows, building like an inexorable wave. Privacy data is even more like water in how it can corrode trust and erode even the mightiest digital giant. It’s beyond time for Facebook to have a plan and to be held accountable to it, and a clear message should echoing in all the super aggregator board rooms: get serious about privacy or face existential accountability. Next steps for Facebook needs to make privacy a core value right now. Long overdue is Facebook bringing in independent advisors, observers and thought leaders to offer a fresh perspective and an opportunity to answer the tough questions”
Jake Moore, Security Specialist at ESET:
“Luckily, there doesn’t seem to have been a major breach of such data but it just goes to show how easily your personal data or even passwords can be compromised and why we should have tighter password management.
Using a unique password is one step towards better protection just in case any of your passwords are leaked or phished by increasingly more sophisticated attackers. Further still, multifactor authentication is an even stronger way to help protect against attacks which use your phone as another form of verification.
It just goes to show that however big or small the company is, mistakes can occur at the detriment of your password, so if there’s one thing you do different today, make sure you download and start using a password manager app.”
Brian Vecci, Field CTO at Varonis:
This news illustrates how easy it is for any company—not just Facebook—to skip asking for consent when harvesting personal data like your contacts. Consumers need to be vigilant but also need a basic set of online rights. Companies shouldn’t be able to grab your entire social network through your contact list without express permission, and companies like Facebook need to face penalties when they do it. Without basic consumer protections that lead to real penalties, this kind of thing will continue to happen.
.
Tim Mackey, Senior Technical Evangelist at Synopsys:
“We’re now living in a world where user consent for data collection is key. Under GDPR Article 7, consent for the collection of personal data must be unambiguous and for a defined purpose. While at first glance it may appear that requesting access to a new user’s contact information satisfies this criteria, that isn’t the case. Article 7 (4) states that consent is only freely given if the processing of the data – in this case email address and email password – is required for access to the service. As Facebook users know, the Facebook service doesn’t require Facebook to collect and process email passwords. There is no legal obligation for Facebook to collect email addresses for new users, nor is it in the user’s vital interests for Facebook to harvest email contacts nor in the public interest. This is then an example of a Facebook development team determining that an implementation to provide new users with a rich list of friends outweighs the privacy implications. For example, an address book may contain legacy email addresses for people the user has no desire to create or maintain a deep personal connection with. Effectively, Facebook have not disclosed the full extent such access might grant, nor have they provided any indication of how harvested emails might be used. I would recommend any concerned user who has signed up with Facebook since March 2016 immediately change their email password and then submit a request to Facebook for a detailed accounting of precisely what data was accessed and how that data was used.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.