- Facebook used to ask new users for their email password as a method of verification.
- Additionally, it offered to upload their email contact list (e.g. from google contacts).
- in May 2016, Facebook removed the message that explained the feature to upload contacts, however the underlying feature still remained, which means contact list uploads were automatically being done without consent.
- This issue was noticed in April 2019 (Almost 3 years later) after Facebook stopped asking email password as verification step.
- Facebook plans to notify these affected users, and delete their data which Facebook claims they have not shared with anyone.
The news is shocking! How does a big company like Facebook with a huge cash flow, the best developers, great audit team, foul up so badly? And its even not a new issue, this is a 3-year-old problem. It makes one wonder if a company like Facebook cannot control security issues, and gets away with these security incidences, how are we to expect and justify small and medium companies to cope up with the huge costs towards security. Are they suppose to take it as lightly as Facebook. This is not the first security incidence and probably won't be the last.
Our take is doing any step is better than not taking any step. If you have a small budget use it wisely. Get yearly audits done and keep a list of the parties you share your data with. Focus on the core issues of your system and something like a risk register can help in that. Find alternative solutions to help mitigate the issue, maybe it won't remove the risk but lower it substantially.