Over the weekend, a cybersecurity-focused Twitter user named e-sushi shared a screenshot of Facebook asking new users to share their email passwords when signing up.
The tweet was subsequently shared throughout the internet and security experts blasted Facebook for the breach of privacy.
In response, a Facebook spokesperson told The Daily Beast that the company will no longer seek email passwords when people sign up to the social media platform.
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” the spokesperson said in an email statement to The Daily Beast.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you’re practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
It’s unclear exactly how many people have experienced this verification method, although Facebook says it was only made available to a “very small number” of users.
Specifically, Facebook says the only people affected would have been those using an email address from an email provider that doesn’t support open-source login protocol OAuth. The protocol is used in the login systems of several tech giants, including Microsoft, Amazon and Google.
Going forward, Facebook says new users will be able to use current verification methods such as “a code sent to their phone or a link sent to their email,” regardless of email provider.
Facebook last came under fire for similar issues only two weeks ago when the company admitted it had improperly stored “hundreds of millions” of user passwords.
Source: The Daily Beast