Facebook demanded users' email passwords, got caught and stopped

Request for passwords was to verify users' accounts, according to the company

FILE PHOTO: Facebook CEO Mark Zuckerberg speaks at Facebook Inc's annual F8 developers conference in San Jose, California, U.S. May 1, 2018. REUTERS/Stephen Lam/File Photo

To log in to Facebook, the social media giant demanded new users turn over their personal email passwords to "verify" their account, an alarming request that analysts say left people vulnerable to cyberattacks and data theft.

“To continue using Facebook, you’ll need to confirm your email,” the message reads. “Since you signed up with [email address], you can do that automatically …” followed by a field for user's to enter their email password.

A Facebook spokesman told The National, "We understand the password verification option isn't the best way to go about this, so we are going to stop offering it."

Facebook's password request was first covered by The Daily Beast, a US-based American news and opinion website.

"I find it amazing in this day and age, where we tell everyone constantly 'No one needs to know your password but you', that Facebook thinks this is acceptable behaviour," Neil Haskins, head of security and data at technology company Careem in Dubai, told The National. "With their recent history of password protection, or lack thereof, I would maybe consider this to be a poor verification method and a monstrously bad idea."

The social media company, whose shares are up 28 per cent so far this year, said it was "a very small group of people" that had the option to share their email password in order to verify their account.

Data theft and cyber crimes were listed among the top five global risks, alongside natural disasters and climate change, in the World Economic Forum’s Global Risks Report 2019 and this latest Facebook security misstep comes amid a string of others for the company. Less than two weeks ago it was uncovered that Facebook employees were able to read millions of user passwords for years, which the company acknowledged after a security researcher posted about the issue online.

While Facebook said there was no evidence that its employees abused access to the data, thousands of staff could have searched for the passwords.

The security blog KrebsOnSecurity said about 600 million Facebook users may have had their passwords stored in plain text.

"I appreciate the fact that they have supposedly stopped the practice [of asking for email passwords] and backed down, but the fact that someone, somewhere within Facebook said, 'Hey, I have a great idea, let's ask users to give us their passwords from an external service' is amazing," Mr Haskins said.

Last week, Facebook chief executive Mark Zuckerberg penned an op-ed in the Washington Post outlining new global regulations he thought should governing the internet, recommending sweeping rules on hateful content, election security, privacy and data protection.