Facebook found millions of passwords stored in plain-text in internal investigation

Facebook staff had access to hundreds of millions of people’s passwords

Turns out, Facebook's internal servers were storing millions of plain-text, unencrypted user passwords.

Further, the company - in the interest of full disclosure - said it would notify users whose passwords were stored in plain text about the security lapse.

Facebook said that hundreds of millions of users of Facebook Lite had been impacted, while tens of millions of regular Facebook users were impacted.

The company said the passwords weren't visible to anyone outside of the company, adding that "we have found no evidence to date that anyone internally abused or improperly accessed them".

Facebook's practice is to mask people's passwords by replacing them with random characters and then tucking away software keys needed to make sense of the jumble, according to Canahuati.

'In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this.

"There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users' passwords in plain text", said cybersecurity expert Andrei Barysevich of Recorded Future.

The company said it discovered the passwords during a security review in January and launched an investigation.

Brian Krebs first reported the security breach on his blog, Krebs on Security, prior to Facebook's public announcement.

Nonetheless, many would argue that Facebook hasn't exactly earned the benefit of the doubt with respect to security and user privacy. If you didn't think that Facebook could go lower than sharing personal information from 87 million users with third party sites, violating a signed FTC consent decree in the process, maybe you're not giving the social media company enough credit. "Right now they're working on an effort to reduce that number even more by only counting things we have currently in our data warehouse". Avoid reusing passwords across different services. Using SMS-based 2FA over 2G networks with weak encryption doesn't seem ideal, and thanks to Facebook's use of phone numbers to find profiles, connecting a phone number with a Facebook username is fairly simple. Most of the accounts affected were using Facebook Lite, a version of the app designed for emerging markets.

The fact that the company couldn't manage to do something as simple as encrypting passwords, however, raises questions about its ability to manage more complex encryption issues - such in messaging - flawlessly.

Related:

Comments

Latest news

Leaked Galaxy Fold Hands-on Video Reveals Major Display Issue
Powered by the Exynos 7885 chip, the Galaxy A40 has 4GB of RAM and 64GB of storage, with a microSD expansion capability. On the software side of things, the Samsung Galaxy A40 runs Samsung's new One UI atop an Android 9 Pie core.

Nirav Modi in possession of three passports, United Kingdom court told
Modi's team made their case for bail, offering 500,000 pounds as security and an offer to adhere to stringent conditions. The Court had issued a warrant for Modi's arrest in response to a request from India's Enforcement Directorate .

Half Of Americans Believe Trump Is The Victim Of A ‘Witch Hunt’
President Donald Trump talks to reporters as he departs on travel to OH from the White House, March 20, 2019. But I want to see the report. "We have the greatest economy we've ever had", which is also false.

Google Stadia Promises Cloud Gaming Revolution Across Devices
Google did not reveal when Stadia will launch or how much it will cost, although more details were promised during the summer. With the launch, Google is attempting a catch-all service that looks to the future of gaming as a digital cloud-based form.

Other news