Ever since the Cambridge Analytica scandal unveiled in March 2018 Facebook has seen a constant stream of bloopers, most of which exposed the company’s horrendous management of its users’ private data.
Scandals ranged from those involving third-party apps, such as the Cambridge Analytica one, security breaches such as the infamous hacking incident that exposed more than 50 million accounts, as well as poor handling of user data or flat-out shady practices that involved phone numbers used for 2FA authentication purposes.
And let’s not forget the fact that online advertisers had access to user data for years with Facebook knowing and allowing the practice.
All this dealt massive damage to Facebook and led the company to announce the shift towards privacy-based infrastructure that will employ advanced encryption to all its products (WhatsApp, Instagram, and Facebook), purposely keeping every piece of private data encrypted and, well, private. But just a couple of weeks after the announcement Facebook found itself in yet another privacy scandal followed by two more over the course of the past month.
For Facebook, the cart keeps rolling down the hill but somehow the cart still didn’t hit a rock large enough to smash it. But by now, it is in dire shape.
Millions of Facebook passwords were stored in plain text files at Facebook HQ
The first news came at the end of March when KrebsOnSecurity learned that hundreds of millions of Facebook users had their passwords stored in plain text files in the company’s internal servers.
That’s plain text files that weren’t encrypted in any way. In fact, files containing hundreds of millions of passwords were freely accessible to Facebook employees. They could access them any time, search files containing passwords, and even misuse them although no evidence was found that employees actually exploited the data.
When talking numbers, there were between 200 million and 600 million unique account passwords stored in plain text, with more than 20,000 Facebook employees who were having access to those text files. The oldest entries date back to 2012 meaning that hundreds of millions of user credentials were kept unsecured for seven years which is bonkers to say the least.
Although more than 20,000 employees had access to those files. Only 2,000 of them actually accessed them, creating about nine million internal queries regarding the said files.
Most passwords were tied to accounts that used Facebook Lite, a version of the Facebook mobile app built for developing markets dominated by low-spec phones that have access to low-speed mobile internet. There were tens of millions of passwords used by regular Facebook app users and, surprisingly, tens of thousands of Instagram passwords.
After the company ran an internal investigation it was discovered that millions of additional Instagram passwords were also stored in plain text files. The investigation concluded that there were no internal abused regarding user passwords and the company stated it will contact all users affected by this scandal. But that wasn’t all.
Just a couple of weeks after this case, it has been discovered that two third-party apps stored unencrypted user data. It contained more than half a billion records.
Third-Party apps strike again, keeping private data exposed to the public
Just a couple of weeks after the scandal regarding Facebook and Instagram passwords being kept in plain text files, UpGuard Cyber Risk security firm discovered two huge dumps of private data being exposed to everyone via an Amazon S3 data buckets, which were configured in a way to allow public download of every single file found in data buckets.
The first dataset belongs to the media company Cultura Collectiva, which is based in Mexico. The dataset is huge; it is 146 gigabytes large and contains more than 540 million records including account names, FB IDs, likes, and comments.
The other dataset belongs to a third party app called At the Pool, which isn’t active for a while. The app was integrated into Facebook and its data dump is much smaller. It contains various data collected from users of the app.
Most data contains interests, likes, friends lists but there are also more than 22,000 exposed passwords included in the dataset. Fortunately, the said passwords are tied to the app itself; there aren’t passwords for Facebook accounts.
Nevertheless, the fact is that users of the app had their likes, interests, Facebook IDs, names, and more private data exposed and available for everyone. And less than three weeks after this scandal, Facebook got into another that saw the company collecting email contacts of 1.5 million users.
Collecting email contacts without permission, masking it as required in order for users to continue using Facebook
The third addition to the already huge dumpster fire was a discovery about Facebook collecting email address books from 1.5 million users without asking clear permission from said users. The mess was the result of a highly flawed (at least when it comes to user privacy and security) verification technique that asked users for their email and password in order for them to continue using Facebook.
Now, the problem is that the notification informing users about confirming their email address looked like it was a necessary step in order for them to continue using the social network – the notification told users “To continue using Facebook, you'll need to confirm your email address,” which clearly looks like the verification step was obligatory.
They would provide email details and Facebook would import their email contacts without asking any kind of permission. Users would simply get notified about Facebook importing their email contacts list.
Facebook issued a statement which reads: “Earlier this month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”
While the above statement reads that the email verification was optional it is clear from the screenshot of the verification message that it evidently looked like an obligatory step in order for users to continue having access to their Facebook accounts.
If there’s something positive about this mess it’s that no email passwords were stored, at least according to Facebook.
So, the story about Facebook-related privacy scandals continues and since the U.S. federal prosecutors recently launched a criminal investigation regarding data deals Facebook struck with more than 150 tech companies – Amazon, Apple, Microsoft, and Sony included - that allowed those companies to access private data of Facebook users (sometimes even without their permission). You can bet we will see more Facebook-related privacy scandals in the future.