9 Biggest Facebook Blunders and Scandals

Facebook is often in the news — and not for the best reasons. The company's recent history has been marred by privacy blunders, undetected vulnerabilities, and a slew of other scandals.

There are probably too many Facebook controversies to cover in one place, but we've selected some of the firm's worst privacy gaffes and some of its most amusing mistakes. Continue reading to learn about nine of the biggest Facebook blunders and scandals.

Facebook Shares Private User Messages with Netflix, Spotify

When you send a message on Facebook, you kind of expect it to only be read by the person or people you’re sending it to. But, in fact, Facebook may have actually shared some of those messages with third-party companies like Netflix and Spotify. That’s according to an investigative report by The New York Times last year.

While Spotify and Netflix were highlighted, there were many other firms implicated in the NYT piece. Reportedly, the firms with access to user Facebook Messenger messages were able to read, write or even delete those messages. Some companies even retained access to that sensitive data years after Facebook supposedly revoked it.

Facebook Knows Who You Call and Text

You expect Facebook to collect some forms of data on you, but there are extremes to how invasive that data collection can get. Back in 2018, Facebook was found to be logging the phone calls and text messages that users made on Android devices — typically without the users even knowing that this data was being harvested.

It wasn’t just calls or texts made via Facebook Messenger, either. According to a New Zealand software developer, Facebook collected records on every contact on a user’s phone, metadata about messages sent and received, and other information about every phone call he had made — including its time and duration.

Cambridge Analytica

Personality quizzes are popular ways to pass time on Facebook. But, unbeknownst to users, some of those quizzes also collected and shared data to a third-party political research firm without their consent. Yes, we’re talking about the Cambridge Analytica scandal.

All in all, the specific incident impacted around 87 million Facebook users. But more importantly, it sparked a long and enduring conversation about how tech companies handle and protect user data. A little over a year after the scandal, Facebook may even be considering a privacy overhaul because of it.

Accidental Messages

Attention to detail is something that some hardware companies are renowned for. But Facebook isn’t really a hardware company — at least, it wasn’t for most of its history. A recent blunder from the company’s Oculus VR division just goes to show that experience in making hardware is hard-earned.

Recently, Facebook’s head of VR Product, Nate Mitchell, tweeted that the company had accidentally printed “inappropriate” messages on some of its final Oculus Touch Controllers. Some of the messages included “The Masons Were Here” and “This Space For Rent.” Sure, it isn’t the biggest deal. But it is still pretty amusing.

Onavo & Research App

This is less of a blunder than, arguably, planned deviousness. Facebook, on two occasions, collected massive amounts of personal data on users of its first-party VPN apps. The first was an app called Onavo, which Apple pulled from its App Store when news spread of its data collection policies. The second, and perhaps more notable, was a Facebook research app that the social media giant convinced teens to side-load on their devices.

The app itself was a clear violation of Apple’s developer policies, particularly since it bypassed the App Store entirely by using an enterprise certificate meant solely for in-house apps. Apple responded by pulling that certificate, which reportedly caused chaos at Facebook HQ since it broke critical internal software.

"View As" Flaw

Facebook’s "View As" feature was a way for users to see their profiles through the “eyes” of their friends (or strangers). But there was buggy code within that feature that allowed it to be exploited by hackers. The vulnerability was found last year and Facebook says it could have impacted about 30 million accounts.

According to reports, the View As vulnerability may have allowed hackers to gain access to user profiles by stealing so-called access tokens. Some of the data that was obtained during the hack included email addresses, phone numbers, gender, religion, device information, and location, among others. At this point, it isn’t clear who is behind the attack, however.

Plaintext Passwords

The basic best practice for storing user passwords is to scramble or encrypt them. Platforms, like most social media giants, do this to protect those passwords. But Facebook apparently missed this memo when it reportedly stored “hundreds of millions” of user passwords in plaintext — which means that they were completely viewable.

The passwords were stored in this manner for several years, too. According to the social media giant, about 2,000 Facebook employees had access to the plaintext passwords. But Facebook said that it had “no evidence” that those employees had abused or otherwise improperly used that access.

Suspicious Reviews

If you wouldn’t put a giant Facebook-branded camera in your home, you’re not alone. The social media giant knows that its reputation isn’t sterling. That makes a series of five-star reviews left on Amazon by active Facebook employees earlier this year a bit more than suspicious.

Facebook denies coordinating this behavior, but it’s worth noting that Amazon reviews for the Portal device receive a “D” on Fakespot, a website that tracks the trustworthiness of a product’s reviews. Not to mention that the firm’s Portal devices actually do collect data, contrary to early statements made by the company.

Private Photo Exposure

Facebook has privacy settings that allow users to restrict who can see their content. But last year, buggy code within Facebook’s Photos API may have allowed developers to view user photos — even if those pictures were set to private mode. The company added that some developers could see photos that weren’t uploaded at all.

All in all, the buggy photo code impacted the photo privacy of about 6.8 million users. Specifically, it affected users who had given access to about 1,500 third-party apps made by 876 different developers. While Facebook worked quickly to patch the flaw once it discovered it, the vulnerability was still active for a full 12 days in September 2018.