This is a big reason why I'm so suspicious of AI. Those systems are largely backed by the same companies who have spent the last 15+ years disrespecting users and treating them as resources to extract, not actual people to serve.

The ethos in tech seems to be a simplistic toddler-like mindset for "more for more's sake" that doesn't care about others' agency.

The ddg browser part is simple to explain: you followed a link that was generated specifically for this email sent to you. When you click it fb knows who you are (so they directly log you in), but also that you reacted to this specific clickbait campaign.

Expect more trash from them since it worked once.

So if someone gains access to your email, they also get FB access…?

Yes, these are often referred to as "Magic Links."

When it comes to the security implications, consider that email has long been a "single point of failure" for a lot of services in the form of the "forgot password" feature that emails you a link to reset your password.

When I'm talking to non-tech people in my life about how best to protect themselves, I usually tell them to think about priorities and disaster scenarios. What would suck the most if it got hacked? The two that are usually at the top of the list for pretty much everyone are email and online banking. Others might include Amazon accounts (hackers can order themselves gift cards with your CC if compromised etc.) Prioritize securing those with a strong password + MFA. The rest is case by case but make sure to use a password manager so you're not reusing passwords.

I have never seen a use of a Magic Link that wasn't because I asked the Magic Link to be sent to me. Never, ever had one sent to me in a marketing/engagement email.

Facebook is able to realize outsize cross-web tracking benefits by having you logged in as long as possible. Few other companies are able to realize comparable benefits because they don't have the same ad-serving aspirations coupled with "Login with Facebook" reach.

Google is comparable, but it's too risky for them to have so many magic links hanging around in customer inboxes, because Google identities tend to be tied to far more sensitive 3rd party applications. Which is not to say that there are no sensitive applications with "Login with Facebook", but I'll argue there are fewer.

Yes, but that's pretty common for most services.

Clicking "forgot password" typically sends you an email prompting to set a new one; this is similar, in a sense.

They'll probably make you reauthenticate as soon as you do anything, but who knows...

Thats usually how password reset emails work.

> So if someone gains access to your email, they also get FB access…?

I mean, that's how it works for most websites. I think I have 2FA turned on for FB, but honestly the phone system is way less secure than email at Google/Microsoft.

Yeah, I gathered as much, but still, just a single URL to an email address to log me in? What about my 36 char password and my 2fa app?

Edit: I just found I didn't set up 2fa. I wonder, if I had, would they still do this? Then it would have just blatantly ignored my second factor...

They want control over the post content (in case it's deleted, edited, etc) and also track your interaction ASAP, so they link it instead of embed.

You will be asked to authenticate if you try to do anything.

Just checked, I am fully logged in in a clean ddg browser session, and can accept friend requests, etc. But I don't have 2fa enabled.

It may be that the link only worked once. Try again after logging out. Does it work?

Clicked it again, it says: The link you clicked may have stopped working or the page has been moved.

Can still log in as often as I want into clean browser sessions. Even when I log out, clean the session, tapping the url logs me in again.

And every time FB sends me an email: "Someone logged in from some location, was it you?"

A mention without a mention - I get that, but why do you think it's dirty to skip the log in?

Look at the context of the email he received.

It's a lie to get him onto the site and to start scrolling. In that context, skipping the login is pretty dirty.

because though we know BigCo know too much about us nore than ourselves, revealling that ugly fact so frontally is tasteless.

If they had forwarded that mail to someone else--"Hey look! Someone mentioned me on facebook!"--then that second person could have logged into the first person's account with a single tap.

It's scummy and terribly insecure to pass around someone else's credentials via email.

That was my first thought. This can go downhill pretty quickly. Nobody suspects that you expose your account with a link to a mention.

Yup. Somehow, despite this, they're not even that good at the one thing their business relies on, correctly targeting adverts: https://news.ycombinator.com/item?id=40083838

I wonder if it's part of some growth hacking scam. They want their metrics to show x amount of people logging in each month, so they show these emails that auto log you in.

Yeah, I'm now back in that monthly active users group. Should have resisted more.

I wonder if Facebook has slowly began to lean into the scammer email pattern where ... they really want the people who are ok with these patterns so they can hook them in other equally scummy ways.

Perhaps social media companies are not interested in anyone who wants to manage their feed or is looking for somethings specific, they want to point their product AT you, not have you use it.

Slowly begun? I’ve received this kind of email since their beginnings. The only reason they’re not #1 at this is that linkedIn does even more of it.

Oh my god I’ve been at the end of my rope wirh LinkedIn too. Between the obnoxious notifications and the absolute brain rot that is The Feed™ there’s basically nothing good about that site apart from the obligate profile-as-a-resume.

It is so pathetic how they beg and wheedle and connive to get you to engage. I’ve honestly lost all respect for that site at this point.

I like “beg” as term for their notifications.