Facebook email snafu a security red flag to businesses

Facebook's latest snafu, which led to some users having email addresses in their smartphone contact lists changed to @facebook.com, exemplifies the need to build a security wall around corporate apps and data on a mobile device, a security expert says.

The Facebook controversy started late last month, when the social network quietly changed the default emails for all users to [name]@facebook.com. The change meant that messages would be forwarded to Facebook profile in-boxes, instead of the user's chosen email address.

The situation got worse this week when it was reported some users found that the switch led to email addresses in their contact lists being changed to @facebook.com. For this to occur, the users had to have Facebook contact-sync enabled on Android, BlackBerry or iOS 6 devices.

The incident shows what can happen in a highly competitive market. Facebook is trying hard to promote its email service over competitors, namely Google's Gmail and Yahoo Mail.

For businesses, the mess is a warning of what can happen if employees are allowed to access corporate email, data and apps without separating them from all other information and services on a smartphone. Sensitive corporate data could end up on Facebook or other Internet service.

"It is a very dangerous reality that I may intend to communicate something highly sensitive from my iPad or Android [device] and not even realize I am emailing you on your Hotmail or Facebook address instead of your corporate account," Chester Wisniewski, senior security adviser for Sophos, said by email.

People whose contact lists were altered found that messages sent never made it to their recipients. This led to complaints from users and a statement from Facebook, which blamed the fiasco on a bug that it has since fixed.

"For people on certain devices, a bug meant that the device was pulling the last email address added to the account rather than the primary email address, resulting in @facebook.com addresses being pulled," a Facebook representative told ABC News.Ã'Â

Fixing changes to contact lists involved retrieving previous versions from the service provider or a backup system. Facebook users who wanted to switch back to their previous default email on the social network had to go to their profile page and click through to edit their contact info.

Beyond the Facebook mix-up, the fact that mistakes can occur anywhere highlights the need to have sensitive information encrypted and accessible only to authorized recipients, Wisniewski said.

"Keeping personal apps and corporate apps separate is a necessary evil," he said. "Where at all possible, cloud syncing should be carefully considered."

Read more about social networking security in CSOonline's Social Networking Security section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place