Lloyd Bosworth : archaeologist | human | beard

Why is Facebook’s Friend Finder Asking for my Email Password?

Is Facebook phishing for email passwords?

There are really only two rules for keeping an email account secure: choose a strong password and don’t share that password with anyone else. Follow these two rules and you reduce your chances of being hacked to almost zero. If you do share your password, you have lost control of it. It’s as simple as that. Even if you trust the person you have given it to, and made them promise really really hard that they won’t tell anyone else, there is nothing you can do to stop them.

So why is Facebook asking me for my email account password?

I have recently re-joined Facebook after deleting my old account some four years ago. My old account was such an unholy mess of personal and professional that the thought of untangling it all seemed to be more trouble than it was worth, hence the nuclear option.

Now I’m back, I find that Facebook hasn’t changed much at all. Old friends are easy to find and there is the snowball effect that for each friend request I send, I receive many more requests in return.

One thing that is new, or at least something I’d never seen before, is the option to have Facebook scrape the contact list of my email address for people I know, and they will automatically be sent friend requests on my behalf. What a great tool!

Why is Facebook asking me for my email account password?

But wait. The only way Facebook can access this contact list is if I hand over the password to that account. That’s worth repeating: Facebook is asking for the password to my email account so that they can scrape my address book and match any emails gathered to other users on Facebook. This is not the behaviour of a legitimate company, but of a crook phishing for user data to exploit for fraudulent activities.

But we know that Facebook aren’t the bad guys

I’m not suggesting that Facebook is trying to steal my identity or commit fraud in my name. The truth is, they don’t need to. That type of activity is small-time stuff compared to selling the personal information of users to advertisers. I know how the cliché goes: if the service is free, I am the product and I will be sold to the highest bidder. But I’m happy with that, right? I know how Facebook works. I know the deal I’ve entered into: I hand over personal information; they provide a free service that I find useful.

However, asking me to hand over a password goes beyond a reasonable request for information and Facebook knows this. They know the risks and dangers of revealing passwords, even if their users may not. Don’t believe me? Well, such activity is not allowed under Facebook’s own Ts&Cs. That’s right, you are forbidden from sharing your Facebook password with anyone.

You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

The reason for this should be obvious: if someone has the password to your Facebook account, they are effectively impersonating you. So you give a friend your password so they can update your profile, post a pic, whatever, fine, no harm done there. If they access your account again, though this time without your consent, well, that there is identity theft, which carries a stiff penalty in most jurisdictions.

What this means is that your Facebook and email passwords are as much a part of your identity as anything else you share online. Yet Facebook only care to protect the one and are happy to compromise the other.

Yeah, but who reads the Ts&Cs anyway? And Facebook is unlikely to enforce that rule. Well, probably not. But what about your email provider? They also have Ts&Cs that you’ve probably not read, but you can guarantee they’ll have something in them about your responsibility in keeping your password secure.

What’s the harm?

Who would be happy for advertisers to know which medical companies they’ve contacted or what medical products they may have bought? How about how often they’ve contacted their GP or local MP? What about political parties? What about that dating agency they secretly joined (If you are on Facebook and cheating on your partner, then Facebook probably already knows)? What about the newsletters from any pro/anti pressure groups? All that online shopping generates a lot of useful information about buying habits, too.

Many people may not care about sharing potentially sensitive information such as this; after all, much of what used to be private is now shared freely online anyway. So clearly this isn’t the issue. The issue is that, if a password isn’t changed immediately afterwards, anyone using this service has lost control of their email account regardless of how benign Facebook’s intentions may be.

At the time of writing, 50% of my friends had used this service. That’s half of my friends who have intentionally compromised the security of their email accounts and this points toward a bigger issue: Facebook are normalising insecure behaviour online which is at the same time making it easier for criminals to harvest passwords through phishing attacks. When a genuine phishing attack is encountered (ironically, this may well be on Facebook itself), people have been conditioned to be more trusting of requests for such information.

In this way, Facebook are no longer neutral providers of a service, but actively involved in a hostile action that will result in a less secure online environment for everyone. Worse still, Facebook is using people’s friends, who it assumes are trusted, to endorse this really dodgy service.

Also, I don’t know how it works and, more importantly, how it’s limited. The text that reads, “See how it works” in the image above, isn’t a link to more information (at least it isn’t with my setup of Chrome 48.0.2564.116 for Mac). Searches for more information on the service have also drawn a blank. This has left many questions unanswered:

  1. How long does Facebook store the password?
  2. Is it stored encrypted or in plain text?
  3. Is the processing of the scraped data performed by Facebook’s algorithms, or can a human access it too?
  4. At what interval is the address book scraped for new contacts?
  5. Are they scraping the email subject line?
  6. Are they scraping the email body text?
  7. Do they measure the frequency that messages are sent and received to each contact?
  8. If an email address isn’t associated with a Facebook account, is it then deleted from Facebook’s servers?
  9. If multiple email addresses are associated with a single Facebook user, are these also stored against that account?

Should I give Facebook my email password?

No, of course you shouldn’t. You shouldn’t give a password to anyone. Will you, though? Probably. If you do, you should change that password immediately.


How to Fix AutoCorrect in Word 2016 arrow-right
Next post

arrow-left Adobe Illustrator Quick Tip: Adding Outlines to Strokes
Previous post

  • anon510

    November 29, 2017 at 3:32 am | Reply

    Facebook *are* the bad guys

    do your research and learn about mark zuckerberg’s history

    he is a scumbag and facebook is literally a phishing site

    the difference is that facebook has a lot of money and has brainwashed the masses into thinking its a legitimate site

    its literally a massive data mining operation and a flat-out phishing site

    new users are actually *required* to give their email password to sign up, its no longer even an option

    its mandatory

    facebook is a phishing site

    they *are* the bad guys

  • David Barnes

    February 17, 2019 at 2:02 pm | Reply

    I did find a way to join FaceBook without giving my email password, what I find disgusting is that FaceBook are able via their algorithms to suggest friends to me (who are FB members) who have ever emailed me at the email address I used. (That can be proved).

    I believe we have a moral and legal duty to our email contacts to safeguard any information we have about them, in my opinion my contact list is “data” I hold in my email contacts list and by even allowing anyone to have access to that “data” I would be breaking data protection laws. (I’m in the UK).

    The only safe way of joining, that I can think of, is to apply for a new email account (which would have no contacts or emails sent to or from it – other than set up details) to use and let FaceBook see if they could find anything there that compromised my security or the security of anyone who’d ever emailed me.

    Note: Changing password will not prevent FB from discovering who has emailed you – if that person is a FB member.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.