Facebook stored millions of users' passwords in searchable plain text for years
Just when you think things couldn't get any worse with Facebook, something else comes along to lower your opinion of the social network even further. The latest security slip-up relates to passwords: it turns out that for up to six years, millions of user passwords were stored in plain text.
As well as being stored in plain text, passwords were searchable by thousands of Facebook employees. An investigation by Facebook suggests that somewhere between 200 million and 600 million user accounts were affected, some as far back as 2012.
- Pahahaha! Zuckerburg outlines his, *snort*, privacy-focused vision for Facebook and social networking hahahaha!
- Facebook is adding a Tributes section to memorialized accounts of deceased users
- If you've added your phone number to Facebook for 2FA security, it can be used to search for you
While an investigation has been started, it is not yet clear precisely how many account passwords are involved or exactly how long they were stored in this way. As reported by KrebsOnSecurity, Facebook says that plain text passwords were only ever visible to company employees -- not that this will come as much comfort to anyone affected by the issue.
The company says that the issue first came to light back in January, and this is when it launched its investigation. Trying to play down the significance of what happened, Facebook says:
These passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.
Facebook will, in due course, notify any users that have been affected by this security issue. The company says this will amount to "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users".
Speaking with KrebsOnSecurity, Facebook software engineer Scott Renfro said:
We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we're reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.
Facebook has also posted an article about the issue:
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
In the course of our review, we have been looking at the ways we store certain other categories of information -- like access tokens -- and have fixed problems as we've discovered them. There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook.