Facebook often runs an ad (Sponsored Story) on its service called "Account Protection." You may have seen it before. It says "Your account protection status: Very Low" and features an "Increase Protection" button which takes you to Facebook's Update Your Security Information webpage. Unfortunately, this webpage recently started misbehaving. It's now prompting Facebook users for their passwords immediately after they land on it.
Try it yourself. Navigate to facebook.com/update_security_info.php. If it doesn't work the first time, try a couple more times (some users have found it doesn't trigger for them the first time). If you do end up entering your password, which you really shouldn't have to, Facebook won't prompt you again.
As you can see in the screenshot above, Facebook wants you to "Please enter your password to continue" because "The page you are trying to visit requires that you re-enter your password." This is very poor practice on Facebook's part and is (understandably) making users question whether the ad is legitimate or not. I can assure you that the ad is indeed from Facebook and the URL is indeed from Facebook.com.
This is either a bug or Facebook is making a serious mistake. Security experts have been warning users for years not to hand over their password willy-nilly. I strongly believe Facebook should not be doing this.
In fact, the Facebook Help Center agrees with me (emphasis mine):
I got an email asking for my Facebook password. Do not respond to the email. Facebook will never request your password, and we advise against providing your login information to anyone under any circumstances.
Facebook has had problems with users asking about the legitimacy of this ad before. Here's another Facebook Help Center entry:
Why do I see an ad in my home page about increasing my account protection? Is this really from Facebook? Yes. The ad you see on your Facebook home page about your account protection is from Facebook. If you're seeing this message, you could be at risk of losing access to your Facebook account if you were to ever lose access to the email address you use to log in to Facebook.
We recommend that you add other contact information to your account (ex: secondary email address, mobile phone number). We also recommend adding a security question to your account, if you haven't already. Get started.
That "Get started" link takes you right back to… well, the link this article started with.
Miles Renatus from the Privacy and Security Guide first let me know about this issue. I have contacted Facebook and will update you if I hear back.
Update on March 3: "Our policy here is to ask a user to re-enter their password after 20 minutes has elapsed any time you attempt to modify sensitive account information – e.g. Email, phone #, security question, Page admins etc," a Facebook spokesperson said in a statement. "This check is to make sure the user is still accessing their account, and not another person who has gained access to the device."
I have tested this and it appears that the prompt indeed does not occur in the 20-minute timeframe after you login to Facebook. That being said, I have told Facebook I think their documentation needs to be updated to reflect this policy.
- Facebook virus or account hacked? Here's how to fix it.
- How Facebook protects users from malicious URLs
- Facebook releases official Guide to Facebook Security
- Sex sells: Men fall for Facebook scams more than women
- Facebook admits it needs to fight scams more efficiently
- Facebook Immune System checks 25 billion actions every day