Facebook stored millions of unencrypted user passwords

Facebook on Thursday said it had for years stored millions of user passwords in plain text, explaining that it discovered the security lapse as part of a “routine” review last month. Security researcher Brian Krebs today posted an article about the issue.

Pedro Canahuati, vice president of engineering for security and privacy at Facebook, said in a post on the company’s blog that the un-encrypted passwords were stored on internal servers and were not accessible to outsiders.

“To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,” he wrote.

Despite such reassurances, the incident amounts to a significant oversight for a company that remains in the spotlight for failing to protect users’ privacy and breaches by hackers, among other issues.

“Security rule 101 dictates that under no circumstances passwords should be stored in plain text, and at all times must be encrypted,” said cybersecurity expert Andrei Barysevich of Recorded Future. “There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users’ passwords in plain text.”

Facebook’s data-sharing deals reportedly under criminal investigation

The security blog KrebsOnSecurity said some 600 million Facebook users may have had their passwords stored in plain text. Facebook said it would likely notify “hundreds of millions” of Facebook Lite users, millions of Facebook users and tens of thousands of Instagram users of the issue.

Facebook said it discovered the problem in January. But according to Krebs, in some cases the passwords had been stored in plain text since 2012. Facebook Lite launched in 2015 and Facebook bought Instagram in 2012.

Barysevich said he could not recall any major company caught leaving so many passwords exposed internally. He said he’s seen a number of instances where much smaller organizations made such information readily available not just to programmers but also to customer support teams.

Security experts recommend using a tool like HaveIBeenPwned to check if a password has been compromised. Some also recommend using a password manager to regularly update complex passwords.

Categories: US & World News

Leave a Reply

Your email address will not be published. Required fields are marked *