Don't Send Sensitive Info On Facebook Messenger, Cybersecurity Experts Warn

Cybersecurity experts are advising users against using Facebook Messenger to send sensitive information after revelations by The New York Times that Facebook allowed large tech companies to access personal user data. One security expert told CBS News the report exposed Facebook's "systematic failures to protect customer data."

Documents obtained by The Times allege that Facebook formed partnership deals that provided privileged access to user information to several large technology companies, including Spotify, Netflix and Yahoo.

Private user information from Facebook allowed these companies to build personalization and recommendation features and helped users connect with friends outside of the Facebook website. Access to user data also gave companies the ability to read, write, and delete private messages — though Facebook said in a blog post Wednesday, "No third party was reading your private messages, or writing messages to your friends without your permission."

But cybersecurity experts warn that by exposing user information, including private messages, Facebook might have exposed users to security vulnerabilities like phishing, harassment, hacking, and identity theft.  

"Messages in Facebook Messenger are likely more sensitive than the information many Facebook users reveal to friends and family in their profiles," said John Dickson, principal at Denim Group. He warned that Facebook was trading user safety for profit. "Facebook has been able to make billions by selling user information and behavior information in exchange for access to its feature-rich social network platform. Their strategy shapes Facebook's business culture in untold ways. It puts company leaders at odds with security and privacy experts."

Colin Bastable, CEO of the security awareness training company Lucy Security, explained that Facebook's business model relies on selling access to data, and warned that private companies and business leaders could be at risk of exposing sensitive intellectual property to hackers.

"I would not trust Facebook with any of my information in a million years," said Bastable. "Their business depends on accessing and selling personal information. Facebook is no better at protecting confidential data than any other social networking company. That is a pretty low bar, in a world where there are so many highly motivated, highly skilled data thieves."

In a post on the Facebook Newsroom blog, Ime Archibong, Facebook's VP of Product Partnerships, downplayed the severity of data sharing and said that the information Facebook provided to partners was routine for the industry.

"We worked closely with four partners to integrate messaging capabilities into their products so people could message their Facebook friends — but only if they chose to use Facebook Login. These experiences are common in our industry — think of being able to have Alexa read your email aloud or to read your email on Apple's Mail app," he said.

Apple and Amazon could not be reached for comment.

A spokesperson for Spotify told CBS News that the company did not read user messages and stated that private data was used to personalize the service:

"Spotify's integration with Facebook has always been about sharing and discovering music and podcasts. Spotify cannot read users' private Facebook inbox messages across any of our current integrations. Previously, when users shared music from Spotify, they could add on text that was visible to Spotify. This has since been discontinued. We have no evidence that Spotify ever accessed users' private Facebook messages."

Facebook's response did little to ease the concerns of cybersecurity experts. Technology and digital security experts remain skeptical that Facebook could adequately protect user privacy in the future.  

"Despite Facebook's outward attempts to regain user trust and assert its commitment to user privacy, this latest discovery reveals the company and Silicon Valley's systematic failures to protect customer data," said Matt Moynahan, CEO of cybersecurity firm Forcepoint. "You shouldn't trust Facebook as a whole, and by extension, Facebook Messenger. It's naive to assume that if Facebook is exploiting any part of our personal data that personal messages would be excluded."