Security News

Facebook wants your friends

Avast Security News Team, 18 April 2019

The social media behemoth imported the contact info of 1.5 million users without their consent.

Before 2016, one of Facebook’s regular protocols was an option for users to verify their accounts using email passwords. Users were informed if they chose this option, all of their email contacts would be uploaded as well, which would let the users see which of their friends were already on Facebook. (The info was also used by Facebook to better target ads.) Even though Facebook claimed the email passwords were never stored, the practice of asking users to enter such sensitive info and pulling all their contact info did not sit well with many cybersecurity experts, and in May 2016 the company changed that feature.

Though a revelation this week proves it really didn’t.

While the information letting users know their contacts were being uploaded has been deleted from the log-in screens, the functionality has not. A cybersecurity researcher recently took notice that Facebook asks new users to input their email passwords upon signup in order to verify the users’ identities. Upon doing so, a message pops up telling users their contacts are being imported, with no way to cancel or stop the process.

In a statement to Business Insider, a Facebook spokesperson comments, “Last month, we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through...we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook...We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported.”

Calculating the number of contacts “unintentionally imported” is impossible, as any one user can have any number of contacts, from one or two to hundreds upon hundreds. The security gaffe is just the latest in a series of scandals that has hit Facebook over the last two years, beginning with the notorious data theft from Cambridge Analytica. Just  Eearlier this month, we reported on a Facebook data breach that put over half a billion users at risk.

“Here’s yet another security fiasco from Facebook,” states Avast security expert Luis Corrons. “We are talking about potentially hundreds of millions of email addresses that they have stored without permission, and even though they say they have not done anything with them right now, their credibility is almost nonexistent. At least it seems that passwords were never stored.”

All social media users are strongly encouraged to review the privacy terms within each of their accounts and to adjust the settings in a way that makes them most comfortable. As cybersecurity experts, we have to emphasize that you should share as little sensitive data about yourself as possible online.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.