Earlier this month thousands of email accounts from providers such as Hotmail, Google Mail and Yahoo! Mail were compromised. If you haven’t heard about that you can read up about it on the The Times Online.
Microsoft blamed phishing schemes rather than breaches in their own system — We are aware that some Windows Live Hotmail customers’ credentials were acquired illegally by a phishing scheme and exposed on a website
Google’s statement started on a similar note — This is not a breach of Gmail security, but rather a scam to get users to give away their personal information to hackers.
Facebook should take some of the blame
And so should MySpace, Friendster and other social networks out there that feature email harvesting functions that require users to submit their email account’s login details. Such as Facebook’s Friend Finder function – Step 2 of the sign up process:
The system works like this. You enter your Yahoo! Mail login details, for example, and a Facebook script will extract email addresses from your contacts list and fire off an email inviting them to join Facebook too.
It is a useful tool, I admit, but a risky one for 2 reasons:
- Are we 100% sure that log in details are not being recorded? Perhaps some criminally minded engineer is recording all this info on a USB stick…
- If Facebook and Myspace are doing this people will think that it’s a standard feature for social networks and that it’s OK to share their login details. Would you do the same on some obscure site?
Ironically, Facebook’s prohibits this kind of thing
Point 4.6 of their terms states:
You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.
I posed this question to Mozelle Thompson, a former TC Commissioner and a legal consultant at Facebook the other day (he was in town for a IAPP conference and gave a talk where I work) and his reply was that it is a very useful tool and that, ultimately, it’s user has a choice to use it or not. Not much of an answer.
Less marketing, more security
I doubt that social networks will want to give up such a viral tool so I’m wondering whether email providers can put a stop at this practice. Surely they’re unhappy about it?