Facebook has once again been accused of poor security for asking some users for passwords to their email accounts. It was only a few weeks ago that Facebook was criticized for storing millions of user passwords in plaintext, accessible to their employees and unencrypted.

Since the Cambridge Analytica scandal in 2018 in which Cambridge Analytitica had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political purposes, it seems Facebook has been caught up in a chain reaction of security scandals.

Facebook has now been caught asking users for the email password for the email linked to their account so that they can automatically verify new users.

The request from Facebook doesn’t appear for all new users, but only for email accounts from email providers that Facebook deems suspicious.

The practice was first noticed by Twitter account @originalesushi ran by e-Sushi. In a tweet e-Sushi said:

“Tested it myself registering 3 times with 3 different emails using 3 different IPs and 2 different browsers. 2 out of 3 times I faced that email password verification thing right after clicking “register account” on their front page sign up form,”

Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l — e-sushi (@originalesushi) March 31, 2019

In response to the issue, Facebook admitted the practice but said the passwords were not stored on Facebook servers. However, it seems they are going to put an end to it:

“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,”

It isn’t clear how widely the request was deployed, and Facebook said users still retained the option to bypass the request and use other methods to verify their account such as “a code sent to their phone or a link sent to their email”.

Never giving out your password is one of the golden rules of the internet, and with good reason, it makes you incredibly vulnerable to phishing attacks. It seems strange that Facebook would even go down this route that is considered extremely bad practice by cybersecurity experts. Perhaps Facebook were relying on their perceived status as a trustworthy company. However, that seems somewhat shortsighted given the privacy and security scandals they have experienced in the last year.

Our advice is not to hand out your email credentials to any company, regardless of whether you trust them. You can’t know how they are storing your password and how secure their systems are. Maybe you trust Facebook, but what about hackers who gain access? This is also why it’s a good idea to use separate passwords for all of your accounts. If one of your passwords is compromised, the damage is only limited to one account.

Security Consultant Jake Williams talked to the Daily Beast about the incident and said:

“That’s beyond sketchy,”

He continued:

“They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”