Facebook to Users: We Have Your Paypal Credentials--Resistance is Futile.
Tuesday, September 21, 2010 at 01:25AM A couple of months ago, I ran across a post about how Facebook did a data load from their application partners who accept payments, and how this caused them to gain access to user's Paypal login/password. "Now Facebook has your login and password, and it is part of your profile!" the post warned. It followed up with a good description of the steps to remedy this forced disclosure of credentials that most would want to keep private, since it is a direct line into their wallet.
The post described how to go into your settings and disable that "feature" so that you will not have Facebook storing your login and password to Paypal. I specifically went in to verify that my credentials were not in there, but later after making a purchase from an application (and declining their prompt to link the application to my Paypal account as I do each time), I noticed that it had been populated in my profile regardless. I removed it, and Paypal sent me an email confirming the relationship had been severed. I had opted out.
Today, after making another purchase, I got a bit of a shock. After my last purchase, I again declined to link the account to this application. Today's purchase went through without my being redirected to the Paypal site or prompting me for login or password. I checked my settings, and sure enough, the account detail had again been populated without my consent. I deleted the credential again from my Facebook profile.
Then I did a quick test. I made a purchase through the same application for the least dollar amount possible. I was prompted for the credentials since I'd removed them from my profile. At no time was I told that Facebook would be keeping my login and password to this site, nor was I given the option to opt out. I went back to my account settings, and it was populated again. The next purchase used those credentials to login and authorize the purchase without my entering a password.
I understand that that Facebook is marketing this as a convenience for their users, but I object to having my credentials to a financial site automatically stored without my consent--and in fact after opting out multiple times, the behavior is clearly a standard practice for this site. This is an unacceptable breach of privacy--I chose not to share the credentials and the site effectively stole them. I would not consider it a convenience to find that a compromise of my social networking account had also caused a compromise of a financial account that I did not consent to share.
Reader Comments