I’ll be honest… I’m finding it hard to even summon the energy to write yet another freaking article about a Facebook fiasco. In fact, there are two this week alone. But they’re serious and if for some reason you have not already deleted Facebook, you need to hear about them.
A Tale of Two Screw-Ups
First, Facebook was caught basically phishing its users and “unintentionally” harvested email contacts from 1.5 million users. As part of some ridiculous account verification mechanism, Facebook asked new users to supply the password to their email accounts. Read that again. When signing up for an account, Facebook asked users for their email address (normal) and also for the password for that account (not at all normal). And of course, with that password, Facebook then had full access to that user’s email account, including all the contacts in their address book. And then, whoops, we snarfed them all up. Sorry about that.
Second, Facebook left the passwords for millions of its users on an internal server with no protections, available to thousands of Facebook employees. That’s actually not the second item – that’s old news. At the time they announced this screw-up last month, they said they also may have left ‘thousands’ of Instagram passwords unencrypted lying around, too. Now we find out that it was more like millions. (Note that Facebook owns Instagram.)
First of all, you should never, ever, ever share your email account password with an unrelated service. They will say “let us help you find other friends!” but just say no. Also, never, ever allow apps you install to access your contact list or address book on your smartphone unless they really need it (like an email app).
Second, be sure to review all the apps you’ve linked with Facebook and what data they’re allowed to see. Surveys, games, and other innocuous-seeming apps will sometimes ask you for special permission to access Facebook – this often grants them access to stuff they have no business accessing.
How to Delete Your Stolen Contacts
Full disclosure: I don’t have a Facebook account any more, so I can’t verify these steps. But according to this article, it’s pretty simple:
- Log into Facebook.com
- Go to the contacts management page.
- Review and delete any contact info that Facebook has no business knowing.
It’s hard to say if deleting this info here will really and truly remove it from all the nooks and crannies of Facebook’s dossier on you. But it can’t hurt.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!