Thursday March 21, 2019

Facebook Employees Had Access to Millions of User Passwords Stored in Plain Text

In a new blog post entitled "Keeping Passwords Secure" Facebook VP Engineering, Security and Privacy Pedro Canahuati explains how the social media giant accidentally stored Facebook user's passwords on internal data storage systems in plain text. Pedro explains how "these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users." To keep your account safe, Facebook suggests changing your Facebook and Instagram passwords, pick strong passwords, use a password manager, and enable a security key or two-factor authentication.

In recent months, Facebook has vowed to clean up its act as it has been accused of sharing user data, one click account takeover bugs, paying minors to harvest their data without parental consent, had its enterprise certificate revoked by Apple, access token hack, Cambridge Analytica, and many more fines and hacks. I would suggest picking a password so long and complex that Facebook employees would get tired from writing it down.

News Image

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

Discussion