Facebook just can’t get a break. After a long string of accusations directed at the social platform for security and privacy concerns, Facebook has now been caught using an appalling security practice – demanding new subscribers hand over the password to their email.
Just weeks after it was revealed that Facebook had stored user passwords in plain text accessible to employees, the company everyone loves to hate is now making headlines for demanding the keys to users’ electronic inbox.
First reported by a developer identified on Twitter as e-sushi and independently verified by The Daily Beast, the dubious prompt appears when someone attempts to create a new account using a non-traditional email address.
“Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view,” e-sushi wrote. “By going down that road, you’re practically fishing for passwords you are not supposed to know!”
Facebook does note in fine print that the company won’t store your password, but judging by its past misuse of customer information, it’s hard to believe much of what Zuck’s company says these days.
In an emailed statement, a company spokesperson said, “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”
As a rule of thumb, never share the password associated with your personal email account with anyone. That password is meant to be used only by you and only with that email account. And, as always, it’s best to avoid reusing the same password across different services.