Facebook stored millions of unencrypted user passwords
Pedro Canahuati, vice president of engineering for security and privacy at Facebook, said in a post on the company’s blog that the un-encrypted passwords were stored on internal servers and were not accessible to outsiders.
“To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,” he wrote.
Despite such reassurances, the incident amounts to a significant oversight for a company that remains in the spotlight for failing to protect users’ privacy and breaches by hackers, among other issues.
“Security rule 101 dictates that under no circumstances passwords should be stored in plain text, and at all times must be encrypted,” said cybersecurity expert Andrei Barysevich of Recorded Future. “There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users’ passwords in plain text.”
The security blog KrebsOnSecurity said some 600 million Facebook users may have had their passwords stored in plain text. Facebook said it would likely notify “hundreds of millions” of Facebook Lite users, millions of Facebook users and tens of thousands of Instagram users of the issue.
Facebook said it discovered the problem in January. But according to Krebs, in some cases the passwords had been stored in plain text since 2012. Facebook Lite launched in 2015 and Facebook bought Instagram in 2012.
Barysevich said he could not recall any major company caught leaving so many passwords exposed internally. He said he’s seen a number of instances where much smaller organizations made such information readily available not just to programmers but also to customer support teams.
Security experts recommend using a tool like HaveIBeenPwned to check if a password has been compromised. Some also recommend using a password manager to regularly update complex passwords.