Facebook demand for new user email passwords reveals appalling lack of security awareness

Facebook says it understood the practice was poor -- but did it anyway.

Facebook's latest blunder: It stored hundreds of millions of passwords in plain text Facebook, Facebook Lite and Instagram passwords were stored in a 'readable format', with hundreds of millions of affected users expected to be notified.

No steps forward, three steps back -- it seems that with every promise Facebook makes to take the security and privacy of its users seriously, yet another example of appalling practices surfaces.

The latest in Facebook's long list of security mishaps and disasters is the requirement for some new signups to the social network to provide their email passwords for the purposes of verification.

TechRepublic: Facebook data privacy scandal: A cheat sheet

As spotted by Twitter user e-sushi, the dodgy verification request came up in two out of three replication attempts, made with three different emails, three separate IPs, and two different browsers.

screenshot-2019-04-03-at-12-46-56.png

"To continue using Facebook, you'll need to confirm your email address," the notice reads. "Because you signed up with [email], you can do this automatically though [email provider]."

The Daily Beast verified the developer's findings. Users who are faced with the barrier to sign up can reportedly still verify themselves through a code sent to their phone or email address, but these options are hidden in the "Need help?" tab.

How such a practice escaped the notice of or was deemed acceptable by Facebook's security team is beyond imagining. You might as well phish your own users for the keys to their kingdom.

You should never hand over these credentials, as once an attacker is in your main email account, this can lead to other accounts being hijacked.

CNET: Facebook's Mark Zuckerberg wants internet regulation ... as long as he can shape it

In a statement, a Facebook spokesperson said, "We understand the password verification option isn't the best way to go about this, so we are going to stop offering it."

Facebook may promise not to do it again and may keenly emphasize that these passwords are not stored, but given the company's privacy and security track record, this will unlikely be the last time the social network raises the ire of security advocates.

See also: Key takeaways from damning UK report on Facebook's world of "digital gangsters"

After all, it was only last month when the company came under fire for storing the passwords of hundreds of millions of its users in plaintext, without any form of protection or encryption, where they could be accessed internally. 

Previous and related coverage