Facebook admits harvesting contacts of the 1.5m email passwords it asked for

Originally published at: https://boingboing.net/2019/04/18/facebook-admits-harvesting-con.html


Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts. […] Business Insider then discovered that if you entered your email password, a message popped up saying it was “importing” your contacts without asking for permission first.




Facebook: “It’s just our nature.”


Facebook: Yeah, we hoovered up 1.5 million email address books without permission. But it was an accident!


I think what a lot of non-programmers don’t understand is how easy it is to inadvertently write a script that will fetch username and password combos from a database, connect to a webmail host, submit the credentials, access the user’s contact list, and upload the data it contains to another database, and then to inadvertently deploy and run that script. I mean, the keys are, like, right next to each other. It happens literally all the time.


Facebook’s cycle of promises and lies depends upon journalistic objectivity being warped into a perverse assumption of Facebook’s good faith.

It’s especially perverse since many MSM outlets buy into Romney’s whole “corporations are people, too, my friend.” If you knew a human who constantly acts like FB does, you might maintain your tocic relationship with him but you likely would stop assuming good faith after a while.


They have libraries for that, and they’re probably a little quirky.

EmailObj = ConnectEmail(UserObj, Hoover-Up-Everything=false, ImSure=true)

So easy to forget that third parameter…


I think we can say without knowledge - article claims that it didn’t say ‘scraping your other email accounts’ - it said ‘importing contacts’ which isn’t all that clear.

1 Like

What we really need is a photo-shopped pic of Zuckerberg rifling through trash cans, pulling out old bills and receipts.

Photo-shopped we hope.


I remember the early days when facebook started really taking off (early 2000’s?). Everyone signing up had to find and uncheck a buried box saying (paraphrase) “don’t hoover up my email contacts and invite them all to sign up for facebook”.
It was totally obvious that was how they got their foothold, yet somehow nobody was talking about what turds they were.


I get why Facebook was asking for email account passwords.Yes, it’s horrible from a security point of view. And it just won’t work if you have 2FA on. But they have a legitimate reason for doing it:

Facebook (along with the rest of social media) has a huge spammer/scammer/fakenews bot problem. Those bots will use disposable email addresses set to forward to another account, which will collect all of the verification links/codes.

This was Facebook’s ill-advised way of fighting that. The bots’ email addresses aren’t real accounts, so there’s no way for Facebook to log in and verify them.

I also get why they would scrape contacts. So new accounts have a suggested list of people to connect to. Just… don’t do it without asking first.


I remember back in the day I was rather panicked about implementing a “contact list” due to rumors of things that would harvest the Outlook or Outlook Express contact lists – but those were specific programs with specifically exploitable APIs.

I never realized until just now that in fact Yahoo Mail and GMail have been automatically appending items to a “contact list” every time I send a message to someone. Shucky darns.

1 Like

I’m waiting for, “And then we accidentally sold them, and accidentally pocketed the proceeds.”


Of course it would be 'shopped. He’s got people to do that for him.

They wanted to upload to other servers… but oops.

1 Like

Just so we’re all perfectly clear, committing a crime/tort accidentally does not make it legal. It’s called “negligence” and it’s the basis of most American civil lawsuits.

Not that anything will happen as a result of this, of course.


Facebook claims that doing this was “unintentional,” despite contact harvesting being the plainly obvious purpose of demanding people’s email passwords and notifications in Facebook informing users that their contacts were being imported.

So, FB’s logic is basically like Trump logic then? That is, just lie about it, and all the time. Somehow, Zuck strikes me as even more creepy than Orange. And that scares the hell outta me. Finally, I’d just like to say: what would Trumpbook look like?

1 Like

Seriously, how the flying fuck do you unintentionally design your software to import contacts? This company is gross.