• United States



by Antone Gonsalves

Facebook email snafu a security red flag to businesses

Jul 05, 20123 mins
Access ControlCloud ComputingCloud Security

Keeping personal, corporate apps separate a 'necessary evil,' says security expert

Facebook’s latest snafu, which led to some users having email addresses in their smartphone contact lists changed to, exemplifies the need to build a security wall around corporate apps and data on a mobile device, a security expert says.

The Facebook controversy started late last month, when the social network quietly changed the default emails for all users to [name] The change meant that messages would be forwarded to Facebook profile in-boxes, instead of the user’s chosen email address.

[Also read Securing Facebook: With a little help from his 800 million friends for an exclusive Q&A with Facebook security chief Joe Sullivan]

The situation got worse this week when it was reported some users found that the switch led to email addresses in their contact lists being changed to For this to occur, the users had to have Facebook contact-sync enabled on Android, BlackBerry or iOS 6 devices.

The incident shows what can happen in a highly competitive market. Facebook is trying hard to promote its email service over competitors, namely Google’s Gmail and Yahoo Mail.

For businesses, the mess is a warning of what can happen if employees are allowed to access corporate email, data and apps without separating them from all other information and services on a smartphone. Sensitive corporate data could end up on Facebook or other Internet service.

“It is a very dangerous reality that I may intend to communicate something highly sensitive from my iPad or Android [device] and not even realize I am emailing you on your Hotmail or Facebook address instead of your corporate account,” Chester Wisniewski, senior security adviser for Sophos, said by email.

People whose contact lists were altered found that messages sent never made it to their recipients. This led to complaints from users and a statement from Facebook, which blamed the fiasco on a bug that it has since fixed.

“For people on certain devices, a bug meant that the device was pulling the last email address added to the account rather than the primary email address, resulting in addresses being pulled,” a Facebook representative told ABC News

Fixing changes to contact lists involved retrieving previous versions from the service provider or a backup system. Facebook users who wanted to switch back to their previous default email on the social network had to go to their profile page and click through to edit their contact info.

Beyond the Facebook mix-up, the fact that mistakes can occur anywhere highlights the need to have sensitive information encrypted and accessible only to authorized recipients, Wisniewski said.

“Keeping personal apps and corporate apps separate is a necessary evil,” he said. “Where at all possible, cloud syncing should be carefully considered.”