Facebook's privacy gaffes keep coming. On Wednesday, the social media company said it collected the stored email address lists of as many as 1.5 million users without permission. On Thursday, the company said the number of Instagram users affected by a previously reported password storage error was in the "millions," not the "tens of thousands" as previously estimated.
Facebook said the email contact collection was the result of a highly flawed verification technique that instructed some users to supply the password for the email address associated with their account if they wanted to continue using Facebook. Security experts almost unanimously criticized the practice, and Facebook dropped it as soon as it was reported.
In a statement issued to reporters, Facebook wrote:
Earlier this month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.
Business Insider first reported the harvesting of the email contacts. When users gave their passwords to Facebook, the publication said, they received a message declaring that Facebook was importing their contacts. The collection happened without asking for permission first.
While Facebook's statement referred to the email verification step as an "option," the language displayed in a tweeted screenshot of the message (right) told users: "To continue using Facebook, you'll need to confirm your email address." Many users, it seems, could be forgiven if they thought supplying their password was a condition of using the social media site. A Facebook representative told Ars that these users could also have confirmed their accounts with a code sent to their phone or a link sent to their email had they clicked the "need help" button in the pop-up window.
Hashing it out
Facebook has said it didn't store the passwords, but in yet another Facebook privacy blunder disclosed last month, the company confirmed that it improperly stored hundreds of millions of user passwords in plain text rather than as cryptographic hashes. Hashes are long strings of random-looking text that are generated by passing a password, message, or file through an algorithm. Because hashes can&#Read More – Source