As The Daily Beast reports, when some new users sign up to Facebook they are met with this message: "To continue using Facebook, you'll need to confirm your email. Since you signed up with [email address], you can do that automatically through [email host website]."
A form box below the message then asks users to enter their email password, and while there is a grayed-out line underneath that says "Facebook won't save your password," giving external account details such as passwords to another website, especially one that has such a poor history of protecting customer data, is never a good idea.
According to Business Insider, if a new user does enter the password for an email address, a pop-up appears that says Facebook is "importing contacts," despite users not giving permission for the social media site to do so. However, it's unclear whether Facebook is actually pulling in contacts, as it did not add any of the contact list entries that were made as part of the test.
It appears that these peculiar password boxes are only reserved for certain email accounts, such as Yandex and GMX. Gmail users, for example, do not see the option as Facebook instead suggests verifying your identity using the authorization tool OAuth, which does not require you to enter your password.
In a statement, Facebook insisted it does not store email passwords, but said it would no longer request them. "We understand the password verification option isn't the best way to go about this, so we are going to stop offering it," Facebook said.
Although Facebook gave no timeline for when the practice would end entirely, PCMag could not recreate the issue. When creating a new account with a Yandex email address, Facebook asked to confirm the identity of the address with a code emailed to our inbox (at the time of writing, said email has not arrived.)
Facebook has repeatedly come under scrutiny due to its mishandling of users' personal information. The company stored up to 600 million users passwords in plain text on internal servers that could be searched by over 20,000 employees, and had to shut down its VPN app when it was revealed the app tracked users and sent the information back to Facebook.
Moreover, when users gave their mobile number to the social media giant in order to enable two-factor authentication, it was revealed that other users could use this private information to look you up; in the previous year, Facebook was also caught passing those same cell phone numbers over to advertisers without users' informed consent.