[brabel]

> Some Facebook users have also reported instances of hackers taking advantage of the PGP encryption feature to compromise accounts. Once a hacker gains access to a Facebook account, they can proceed to activate email encryption.

It's quite disingenuous to make it sound like PGP was the problem here.

Read that sentence again: "Once a hacker gains access to a Facebook account" regardless of PGP or not... then, of course, they own the account and can do what they want!! But that's the problem, not that they can enable PGP encryption. If you had PGP encryption to start with, ironically you wouldn't be "susceptible" at all as it's the hacker who wouldn't be able to read your emails even after compromising your account (though they may do worse thing at that point).

[Anamon]

You may have still been susceptible because it seems that you can just change the key to a new one in that settings screen. I just tried, and setting a new key only asked me to confirm the password. An encrypted confirmation mail is apparently only sent when you enable the feature itself. So an attacker could potentially just replace your key with their own.

Of course they could've just fixed that instead of sunsetting encryption entirely, but note that Facebook didn't say this was the reason why they're killing the feature, that's just speculation from the news article. Facebook didn't give an official reason, so maybe it's really just because of low adoption.

[CommodoreCrunch]

But how are they getting into the account to begin with? Enabling PGP would prevent at least one method of password reset and they wouldn't get as far as the settings screen.

You could make the same case against 2FA. Most sites don't require email verification when you enable it. Someone with your password could lock you out by adding a TOTP app. But I wouldn't consider that a vulnerability. It is, if anything, a consequence of not locking down the account in the first place.