Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook 'Unintentionally Uploaded' Email Contacts From 1.5M Users (cnet.com)

Posted by msmash on from the gift-that-keeps-giving dept.

Facebook "unintentionally" harvested the email contacts of about 1.5 million of its users during the past three years. From a report: The activity came to light when a security researcher noticed that Facebook was asking users to enter their email passwords to verify their identities when signing up for an account, according to Business Insider, which previously reported on the practice. Those who did enter their passwords then saw a pop-up message that said it was "importing" their contacts -- without first asking permission, BI reported. A Facebook spokesperson confirmed that 1.5 million people's contacts were collected in this manner since May 2016 to help build Facebook's web of social connections and recommend other users to add as friends.

75 comments

  1. stupid fuckers by Anonymous Coward · · Score: 0

    You stupid fuckers will do anything for free shit. Stupid fucking idiots.

    1. Re:stupid fuckers by Anonymous Coward · · Score: 0

      No No! They're victims! The Russians made 'em do it!

    2. Re:stupid fuckers by Anonymous Coward · · Score: 0

      So you got caught up in that, and now you're pissed. And you project your shame on others not involved.

      typical nerd shit.

    3. Re: stupid fuckers by Anonymous Coward · · Score: 0

      I'm sure they could have asked for all their passwords, SSN, and bank pin and most sheep would have typed it in

  2. uhh.. sounds very much 'intentional' to me.. by Anonymous Coward · · Score: 1

    to help build Facebook's web ...

    someone's just finally calling them out on this much more widespread practice than the article leads you to believe.

    1. Re:uhh.. sounds very much 'intentional' to me.. by Anonymous Coward · · Score: 0

      Calling schmalling. These ass clowns could detonate a nuke in Times Square and then walk over to Nathan's to get a hot dog. NOBODY cares. Zuckerfag's wallet will shrink by a trillionth of an inch, and nobody will be punished. Oh, except for the easily bamboozled ignoramuses who use facebook -- they will continue taking it up the ass, as usual.

    2. Re:uhh.. sounds very much 'intentional' to me.. by Spamalope · · Score: 3, Informative

      Someone just now noticed how Facebook's app works? First run on a phone it steals the contact list - then asks what your privacy preferences are. I used a phone with a honey pot address book last time I tested that app...

    3. Re:uhh.. sounds very much 'intentional' to me.. by goose-incarnated · · Score: 3, Informative

      to help build Facebook's web ...

      someone's just finally calling them out on this much more widespread practice than the article leads you to believe.

      The bigger, ignored, story is that facebook got the passwords to millions of users' email accounts.

      --
      I'm a minority race. Save your vitriol for white people.
    4. Re:uhh.. sounds very much 'intentional' to me.. by Anonymous Coward · · Score: 0

      They meant to say "We unintentionally got caught uploading everyone's address book, we will be more careful next time."

    5. Re:uhh.. sounds very much 'intentional' to me.. by Dru+Nemeton · · Score: 1

      Yeah I didn't catch that until on my local papers website I read, "Facebook said that they didn't read users e-mails" and it suddenly occurred to me that they couldn't do that unless they harvested the passwords as well.

      I have ZERO faith that they didn't harvest e-mails either to be honest.

  3. Huh? by Anonymous Coward · · Score: 0

    With 5 news stories like this every day for 3 years about bad shit Facebook is caught doing I don't understand how anyone could still be using it.

    Can everyone just delete their accounts so we don't have to read this stuff the next 3 years? Mark Zuckerberg himself was proven/caught saying "[the users] I don't know they just trust me with their data, dumb fucks." Does that not say everything you need to know?

    1. Re: Huh? by Anonymous Coward · · Score: 0

      Ignoring all the fake bot accounts and duplicate accounts, how many are used for actual interaction and how many are used to log into other sites without having to create a new account/email? It's like giving up your old email account to spam as a catchall.

    2. Re:Huh? by Anonymous Coward · · Score: 0

      With all the news stories about bad shit governments are caught doing with the internet. i dont understand why someone so principles as yourself is still using it. Are you a hypocrite perhaps?

  4. Huh by Anonymous Coward · · Score: 0

    Who would have thought that facebook was a pack of wankers this week, surely it was enough to be a pack of wankers last week, the week before, the week before that...

    Damn what we have is the largest set of Russian dolls where Facebook are wankers.

  5. Unintentionally? by black3d · · Score: 5, Insightful

    Except, they programmed it to do precisely that, so.. intentionally. Just unintentionally raised the ire of folks in doing so.

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    1. Re:Unintentionally? by markdavis · · Score: 5, Insightful

      >"Except, they programmed it to do precisely that, so.. intentionally. Just unintentionally raised the ire of folks in doing so."

      +1

      This is just super slimy. And the problem with this type of practice it that it doesn't just violate the privacy of that user, but every single person that user knows.

    2. Re:Unintentionally? by Phylter · · Score: 1

      It does the exact same thing once you give it access to your contacts on your phone. As far as I remember, they don't tell you what they're doing with the contacts information.

    3. Re:Unintentionally? by Sebby · · Score: 2

      And the problem with this type of practice it that it doesn't just violate the privacy of that user, but every single person that user knows.

      I smell another class-action lawsuit!

      --

      AC comments get piped to /dev/null
    4. Re:Unintentionally? by Anonymous Coward · · Score: 0

      Wait, the EULA doesn't include a personal arbitration clause? Fuckabug is slackin' when it comes to hiring lawyers...

    5. Re:Unintentionally? by tero · · Score: 3, Interesting

      LinkedIn does exactly the same thing. I've never given it permission to harvest my e-mails, yet it somehow seem to suggest me contacts based on addressbook matches alone.

      All social platforms are just slimy personal information harversters. Burn them all.

    6. Re:Unintentionally? by Anonymous Coward · · Score: 0

      At least on our shop the code does not write itself and especially without management specifically requesting it to be written. On this case, FB just tried to implement the contact book and email harvesting on PC users and which they already do on every one of their mobile applications without anyone knowing. Features become computer glitches when enough bad publicity is written on them.

    7. Re:Unintentionally? by Dunbal · · Score: 1

      Well fuck them, I have no contacts and no friends, so there! Hahahahahaha

      --
      Seven puppies were harmed during the making of this post.
    8. Re:Unintentionally? by Anonymous Coward · · Score: 0

      I wonder when someone will unintentionally drop his baseball bat on Zuck's kneecaps.

    9. Re:Unintentionally? by JaredOfEuropa · · Score: 1

      Not the exact same thing. LinkedIn asks for permission. It uses the contact list on your mobile phone rather than trawling through your emails, and it certainly doesn’t ask for the password to your email account. I’ve no idea how it makes the suggestions that it does but it doesn’t seem to use my contact list (which it can’t anyway). Perhaps you got those suggestions because you were on their address list (and they granted access to It)?

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    10. Re:Unintentionally? by AmiMoJo · · Score: 1

      The suggestions are based on other people's address books. Unfortunately if they share their address books then LinkedIn gets your real name, phone number, email address, maybe a photo and more.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re: Unintentionally? by Anonymous Coward · · Score: 0

      Yep, beyond slimey. Why anyone would give them their email password, is beyond me. Its like a phishing email scam. There was a screenshot of their input screen Mind boggling.

      http://www.businessinsider.com/facebook-uploaded-1-5-million-users-email-contacts-without-permission-2019-4

      Company needs to be done forever. People fucking wake up! Why tolerate this shit.

    12. Re:Unintentionally? by Sebby · · Score: 1

      Wait, the EULA doesn't include a personal arbitration clause? Fuckabug is slackin' when it comes to hiring lawyers...

      Wouldn't apply to non-Fuckedbook users whose data was "unintentionally" taken.

      --

      AC comments get piped to /dev/null
    13. Re:Unintentionally? by Anonymous Coward · · Score: 0

      yay, 3 baby ruths settlement for everyone whos information was stolen!

  6. The part where it told folks it was slurping by cdsparrow · · Score: 2

    up contacts is the mess up. If it hadn't given any indication it was doing it, then nobody would have noticed. So that's the unintentional part...

    1. Re:The part where it told folks it was slurping by Anonymous Coward · · Score: 0

      You can and should assume every time a company asks you to break the terms of service of another company by providing your login info they're planning to fully scrape all data in that account. Companies have been doing this for over a decade. It's surprising that someone is surprised about this now and is trying to make a big deal about it. Scraping your account details is common practice. Is the next thing they're going to be outraged about is LinkedIn and dating sites sending you fake emails saying XYZ wants to connect to you? Then you click the link which sends the initial contact request from you to XYZ. Really, really old news.

      It's all immoral, but it's all common practice. If they want to fix it, you push a law through. Trying to shame companies only results in a PR statement, lots of ad clicks for your personal blog, and nothing else.

    2. Re:The part where it told folks it was slurping by Anonymous Coward · · Score: 0

      False. Farcebook kept sending me emails to add certain people that I knew but I do not converse with or have them added anywhere online. The only way that farcebook knew that I knew these work contacts was by getting it from my phone contacts which I had never volunteered to farcebook.

  7. I'd pay big bucks by Anonymous Coward · · Score: 0

    For the Zucks contact list

  8. Proof by Anonymous Coward · · Score: 0

    If you grow fast enough that everyone depends on you (even better if you can actually make tons of money), you can do almost anything you want. If there's a government crackdown, you rile up your users against the government.

  9. How About Fining Them $10,000 Per Theft? by crunchygranola · · Score: 5, Insightful

    That seems like a fairly light penalty. Now if we count each user who had their contacts stolen in this manner than would be a $15 billion dollar fine. But I think that each contact stolen should be the definitions of "theft" in this case. So if we the average address book has, say 50 contacts in it, that would be $750 billion. Seems about right for a long running bit of organized crime.

    --
    Second class citizen of the New Gilded Age
    1. Re: How About Fining Them $10,000 Per Theft? by Anonymous Coward · · Score: 0

      His uncles run the courts so... Not gonna happen

    2. Re: How About Fining Them $10,000 Per Theft? by Anonymous Coward · · Score: 0

      No no no - theft is only illegal for little people.

    3. Re:How About Fining Them $10,000 Per Theft? by JaredOfEuropa · · Score: 2

      If we’re talking about restitution to victims rather than a fine, then it should be an amount for each contact stolen.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    4. Re:How About Fining Them $10,000 Per Theft? by AmiMoJo · · Score: 2

      If anyone in the EU was affected then the GDPR fine could be up to 4% of global revenue.

      Facebook's revenue was $55.8 billion in 2018, so the fine would be $2.2 billion.

      If they get the max fine depends on how many EU citizens were affected and how damaging their actions were. I'd push for the full amount, but unfortunately I was not one of the affected so cannot submit a GDPR complaint.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:How About Fining Them $10,000 Per Theft? by mccalli · · Score: 1

      My question is how would I know if I was affected? I don't have a Facebook account, but I am a contact in the address book of those that do. So how could I find out whether affected or not?

    6. Re:How About Fining Them $10,000 Per Theft? by AmiMoJo · · Score: 1

      That's an excellent point. I was thinking that I had never installed the app so my address book was safe, but other people with my details may have.

      I'll submit a GDPR data subject access request over the weekend.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:How About Fining Them $10,000 Per Theft? by MooseTick · · Score: 1

      "But I think that each contact stolen should be the definitions of "theft" in this case."

      If you're going that route, why not say each data element stolen could be a theft. That means if you had a work address, home address, cell #, phone #, birthday, and email address, that would equal 6 "thefts".

      This is bad, but you have to cut it off at some point. If I steal your bicycle, you can only get me for 1 theft. Not 152 for each part. Or 1x10^150 for each atom.

      --
      Ninjas don't carry tic tacs
    8. Re:How About Fining Them $10,000 Per Theft? by Anonymous Coward · · Score: 0

      How about $100,000 fine (per instance) for using the user's credentials in a way different from what the user agreed to.

      Facebook said the e-mail username and password would be used to verify ownership of the e-mail. The user consented to verifying ownership. Ownership was verified as soon as the login process completed. Any subsequent action (listing contacts, retrieving contact details, listing e-mails, retrieving e-mail bodies, sending e-mails, deleting e-mails, using messages in deleted items to train a spam filter, etc) was unauthorized, which makes it a computer crime.

      It's exactly as if you gave your bank password to Mint for the purpose of summarizing your transactions, and they initiated a transfer of your money to their account.

      (And yes, sharing bank passwords with anyone is stupid. So is sharing e-mail passwords outside your immediate family.)

  10. Liars and thieves - that's social network cloudy by Anonymous Coward · · Score: 0

    Liars and thieves - that's social network cloudy services.

    In exchange for all your data and all your friend's data, you get to contact your friends and see their comments, photos and videos.

    As a friend, I'd like to say Fuck you very much for giving my data to those losers.

    And don't use gmail, fuckers.

  11. Unintentionally? by Archangel_Azazel · · Score: 1

    Pretty sure precious little of what that monster does is unintentional.

    That's the excuse my 6 year old tries when they're caught doing something they shouldn't be.

    --
    Your mind is like a parachute. It works best when it's been opened.
  12. address by kqc7011 · · Score: 1

    Doesn't matter for me, the address that FB has for me is my give away address. it is a real address and I do check it every month or so.

    --
    Passionately Indifferent
    1. Re:address by markdavis · · Score: 4, Insightful

      >"Doesn't matter for me, the address that FB has for me is my give away address. it is a real address and I do check it every month or so."

      Yeah, but if your REAL address were in anyone else's contacts that that were handed over, then you were compromised without even knowing. It is just like jerk-wads who send out an Email "TO" everyone they know, instead of using BCC. Now all those people you don't know have your Email address. And when their lame-ass accounts or OS are compromised, start welcoming yet more spam (after dealing with the dozens of irritating REPLY ALL messages that follow).

      I am glad I have never had a FaceBook account, and never will, and proud of it.

    2. Re:address by Narcocide · · Score: 2

      I wonder if all the people in your email address book feel the same way about you giving away their privacy and anonymity along with your own in such a thoughtless manner.

    3. Re:address by infolation · · Score: 1

      Yeah, but if your REAL address were in anyone else's contacts that that were handed over, then you were compromised without even knowing.

      Which is why I always give my *FAKE* email address to all my contacts. Haha! Spam me now, suckersss!!

    4. Re:address by organgtool · · Score: 1

      If any of your friends have your e-mail address, physical address, phone number, or photo in their phone as well as the Facebook app on their phone, then Facebook likely has a really nice shadow profile of you despite the fact that you've never created an account with them. Welcome to the information age in the U.S.: your data is not under your control.

  13. Then it formatted your hard disk by Anonymous Coward · · Score: 0

    No need for that since you can now use facebook

  14. Sounds like "unauthorized computer access" by Anonymous Coward · · Score: 0

    to me. Arrest FaceBoook!

  15. Naturally by sjames · · Score: 1

    If an individual did anything like this they'd be facing a long list of felony charges, but since it's a corporation, the DOJ is yawning.

    1. Re: Naturally by astrofurter · · Score: 3, Interesting

      One (brutal, draconian, merciless) Law for human persons.

      One (light, permissive, forgiving) Law for corporate "persons".

  16. 'unintentially' by beep54 · · Score: 1

    Yeah, right. https://www.esquire.com/uk/lat... [esquire.com] Zuck: Yeah so if you ever need info about anyone at Harvard Zuck: Just ask. Zuck: I have over 4,000 emails, pictures, addresses, SNS [Redacted Friend's Name]: What? How'd you manage that one? Zuck: People just submitted it. Zuck: I don't know why. Zuck: They "trust me" Zuck: Dumb fucks.

  17. You trusted by AHuxley · · Score: 2

    social media? Not a wise move.

    --
    Domestic spying is now "Benign Information Gathering"
  18. They also uploaded from their mobile apps by Drew+M. · · Score: 4, Informative

    In addition to that, without asking you, they uploaded all of your mobile phone contacts when you installed their mobile app: https://www.huffpost.com/entry...

    This is why I only access facebook from the web on mobile

    1. Re:They also uploaded from their mobile apps by sheramil · · Score: 1

      In addition to that, without asking you, they uploaded all of your mobile phone contacts when you installed their mobile app:

      I would gently question the wording of this. Facebook didn't "upload" your contacts, they forced your computers and phones to upload them. Without your permission. They stole it.

  19. zucker castle by Anonymous Coward · · Score: 0

    Hes got the sugar and the gold, ya cant stop these chosen ones

  20. Phishing by Kohlrabi82 · · Score: 5, Interesting

    So Facebook was basically running that script like a phishing site to obtain users' passwords. Aren't there laws which apply to that? Or did the lawyers tell them to say "unintentionally" to save themselves from any penalties? Fuck lawyers (and broken legislation).

    1. Re:Phishing by Anonymous Coward · · Score: 0

      It's the excuse Google/YouTube and Twitter use all the time as well. "That was an accident, we fixed it though so don't worry"

      Can you do this Everytime you so something bad? Sorry officer it was an accident?

  21. Load up or down? by dromgodis · · Score: 1

    They intended to *download* the contacts but actually uploaded them instead?

  22. probably got paid by someone to do it by FudRucker · · Score: 1

    because they now are known to sell user data and told to stop, instead of just selling user data, they are secretly paid to make it look like a mistake, "Oops, we accidentally exposed data how convenient, the sooner the government shuts down facebook, and makes selling user's data illegal the better

    --
    Politics is Treachery, Religion is Brainwashing
  23. Sure do a lot of stuff not intentially by Anonymous Coward · · Score: 0

    Yeah sure they did it unintentially (wink wink) Facebook does a lot of things unintential as if their must be some real stupid employee's who just mistakenly do this for months without relaizing.

  24. I have read different report by Anonymous Coward · · Score: 0

    A report mentioning that number was not in 1.5 million but 1.5 billion. Yes, with the B.

  25. Bullshit ... by Anonymous Coward · · Score: 0

    'Unintentionally' my ass.

    Facebook has zero credibility with an 'oops' about something like this. Facebook systematically doesn't give a fuck about anybody's privacy, and Zuckerfuck seems quite proud of his down douchyness.

    This is why I don't use Facebook, and why all of my browsers block anything to do with Facebook ... I don't trust them in any way shape or form, and I most certainly do not consent to being tracked by them.

  26. Only game in town, dude... by Anonymous Coward · · Score: 0

    Facebook is the only game in town when it comes to discussion groups, keeping with family, sending messages, and creating events. There is no other social network that does all this, now that G+ is gone.

    So, call it what you will, until someone makes something better, people just have to put up with Facebook.

    1. Re:Only game in town, dude... by Anonymous Coward · · Score: 0

      Hi Mr Zuckerberg!

  27. The more we learn about Facebook... by QuietLagoon · · Score: 1

    ... the more evil Facebook looks.

    1. Re:The more we learn about Facebook... by flippy · · Score: 1

      ... the more evil Facebook looks.

      And/or idiotically incompetent. I can see a scenario where someone said "hey, we have code that does what we want it to do already, let's just reuse that code", without realizing that code did other things too. As a professional programmer, it's incompetent bordering on negligent to reuse code without serious analysis, and that's an entirely believable explanation for what may have happened here.

      Having said that, they're still liable for whatever the consequences of messing up that badly are, even if it wasn't intended.

  28. Destroy them by Anonymous Coward · · Score: 0

    Can't wait to see what kind if legal recourse takes place against them.

    It doesn't make sense that the USA has given more power to companies than to people. Every major tech company uses this excuse to do the thing they want to do, then ask for forgiveness because it was "a mistake." Tear them apart for their ineptitude the .

  29. Bet for Forgiveness Business Model by LifesABeach · · Score: 1

    The only accident I see here is the parents of certain FB staff members. And H1B's having no ethos.

  30. Riiiiiiight by ilsaloving · · Score: 1

    And Monica Lewinsky "unintentionally" repeatedly faceplanted onto Bill Clinton's crotch.

  31. NOT MINE by Anonymous Coward · · Score: 0

    Not mine. In April 10th it has been four years I deleted my Faceboot account.

    To the hell with that useless social thing.

  32. Opposite World by Anonymous Coward · · Score: 0

    Can we not focus the outrage of this blatant abuse against the 1.5m individuals who failed in the basic concepts of trust and Internet survival? Can we not dox and banish these people and their kin from the online world to avoid a new breed of vulnerable victims while rendering the internet a safer place in general? Can we stop blaming the ones who prey on the weak but actually the weak themselves? We are only as strong as our weakest link...