Earlier this month thousands of email accounts from providers such as Hotmail, Google Mail and Yahoo! Mail were compromised. If you haven’t heard about that you can read up about it on the The Times Online.
Microsoft blamed phishing schemes rather than breaches in their own system — We are aware that some Windows Live Hotmail customers’ credentials were acquired illegally by a phishing scheme and exposed on a website
Google’s statement started on a similar note — This is not a breach of Gmail security, but rather a scam to get users to give away their personal information to hackers.
Facebook should take some of the blame
And so should MySpace, Friendster and other social networks out there that feature email harvesting functions that require users to submit their email account’s login details. Such as Facebook’s Friend Finder function – Step 2 of the sign up process:
The system works like this. You enter your Yahoo! Mail login details, for example, and a Facebook script will extract email addresses from your contacts list and fire off an email inviting them to join Facebook too.
It is a useful tool, I admit, but a risky one for 2 reasons:
- Are we 100% sure that log in details are not being recorded? Perhaps some criminally minded engineer is recording all this info on a USB stick…
- If Facebook and Myspace are doing this people will think that it’s a standard feature for social networks and that it’s OK to share their login details. Would you do the same on some obscure site?
Ironically, Facebook’s prohibits this kind of thing
Point 4.6 of their terms states:
You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.
I posed this question to Mozelle Thompson, a former TC Commissioner and a legal consultant at Facebook the other day (he was in town for a IAPP conference and gave a talk where I work) and his reply was that it is a very useful tool and that, ultimately, it’s user has a choice to use it or not. Not much of an answer.
Less marketing, more security
I doubt that social networks will want to give up such a viral tool so I’m wondering whether email providers can put a stop at this practice. Surely they’re unhappy about it?
My account has been hacked Please help me.
By Geraldine Narul on Nov 24, 03:11 PM | #
Hi Geralidine,
I’m afraid I can’t be of help.
You should contact facebook directly perhaps reading their FAQs about security first.
By Lawrence on Nov 24, 03:34 PM | #
.net mag have published an article that echo my concerns:
The great password scandal
I hope that this will help raise awareness of the issue.
By Lawrence on Nov 27, 06:17 PM | #
i found your link on .net’s blog. i am so glad this is being addressed somewhere on the web! i never use this function – if i want to be friends with those people i’ll do it myself. i don’t even like the applications because they get access to everyone you’re friends with. it’s all marketing data. ugh.
By rayna diane on Dec 1, 02:17 AM | #
rayna, it would be interesting to know what % of users of social network do use ‘Friend Finder’ functions. Given they tend to be designed as integral part of sign-up process — with small ‘skip this’ links placed out of the way — I suspect this figure is high.
I hope that .net’s article sparks a wider debate and perhaps some best practice too.
By Lawrence on Dec 1, 06:33 AM | #