A range of news articles talking about me can be found at TheDailyBeast, SecurityWeek, USA Today, BusinessInsider, Newsweek, ArsTechnica, Gizmodo, Daily Mirror, Guardian, BBC News, RT, CNET, PC Welt, Golem, der Standard, Le Soir, and some other news outlets. I also got an honourable mention by the Electronic Frontier Foundation.

What happened?

In this particular case, I discovered and reported Facebook’s “email provider password fishing” implementation, which gave Facebook full access to people’s email accounts; including contacts and messages. After my report, Facebook took its insecure implementation offline and Facebook publically had to admit that it “unintentially” uploaded 1.5 million people’s email contacts without their consent. As Rob Price from BusinessInsider wrote in a tweet: “It's worth noting that while 1.5 million users’ contact books were *directly* harvested, the total number of people whose contact details were obtained may well be in the dozens/hundreds of millions, as people often have hundreds of contacts.”

After the dust settled, Facebook also admitted in a public statement that Facebook has fed this illegally collected contact data into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add. Facebook did this from May 2016 up until my discovery and report on March 31, 2019. This means that the collected contact data has most probably also been used in Facebook’s Cambride Analytica scandal et al.

The impact of my finding and the following press coverage is rather huge. The Irish Data Protection Commission (an EU watchdog) engaged with Facebook on the matter (hint: GDPR) and the New York Times reports, the New York Attorney General is going to investigate Facebook’s Email Collection in this case.

“Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data,” said Letitia James, the attorney general of New York, in a statement. “It is time Facebook is held accountable for how it handles consumers’ personal information.”

Long story short:

With my tweet where I first went public about Facebook’s misbehavior, as well as with my follow-up tweets and the help of according echos in international press, I’ve practically put an end to the insecure fishing for email passwords and privacy violating harvesting of contact data by Facebook, which impacted millions of people.

If you want to dive in deeper, check out the related Twitter Moment I created: “Facebook fishing for email provider passwords & stealing contact data”. While not everything that happened in front as well as behind the screens was communicated via Twitter, that collection of tweets somewhat wraps up the stages of how things evolved.

By the way…

I never received any reward, bounty, or – at least – a bit of swag for finding and reporting this. (Thanks for trying to buy my silence though, Facebook!) Instead, I actively decided to draw satisfaction from the fact that I was able to make the digital world a bit safer by securing millions of the people’s data and by pinning Facebook down for its abuse of user trust. This Facebook thing was simply too big to be hidden behind some NDA wall in trade for a hand full of dollars. Might be me, but I am convinced that going down the NDA rabbit hole woulnd’t have been a very whitehat thing to do in this case.


My initial tweet:

Facebook acknowledgement:

Statement by New York Attorney General Letitia James’ Office:

Some screenshots of the media coverage, as linked above.

© 2019 e-sushi
disclaimer & privacy