As spotted by Twitter user e-sushi, the dodgy verification request came up in two out of three replication attempts, made with three different emails, three separate IPs, and two different browsers.
"To continue using Facebook, you'll need to confirm your email address," the notice reads. "Because you signed up with [email], you can do this automatically though [email provider]."
The Daily Beast verified the developer's findings. Users who are faced with the barrier to sign up can reportedly still verify themselves through a code sent to their phone or email address, but these options are hidden in the "Need help?" tab.
How such a practice escaped the notice of or was deemed acceptable by Facebook's security team is beyond imagining. You might as well phish your own users for the keys to their kingdom.
You should never hand over these credentials, as once an attacker is in your main email account, this can lead to other accounts being hijacked.
In a statement, a Facebook spokesperson said, "We understand the password verification option isn't the best way to go about this, so we are going to stop offering it."
Facebook may promise not to do it again and may keenly emphasize that these passwords are not stored, but given the company's privacy and security track record, this will unlikely be the last time the social network raises the ire of security advocates.
After all, it was only last month when the company came under fire for storing the passwords of hundreds of millions of its users in plaintext, without any form of protection or encryption, where they could be accessed internally.
Facebook's worst privacy scandals and data disasters