According to a new report from Kerbs on Security, Facebook has been storing hundreds of millions of users’ passwords in plain text.
Usually, users’ passwords are protected through a method of encryption known as hashing. However, a string of internal errors led to some Facebook-branded apps to store passwords in plain text. According to a statement, the issue has impacted “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” As a direct result, as many as 20,000 Facebook employees had direct access to people’s passwords written in plain English (or whatever language – you get the idea).
According to estimates, between 200 and 600 million accounts are thought to be affected. Facebook confirmed Kerbs on Security’s report in a blog post. Titled “Keeping Passwords Secure”, they admitted that they had detected the problem as early as January this year. However, according to the social network, there’s no evidence to suggest that the plain text passwords left the confines of the Facebook offices or that they were misused internally. In addition, Facebook said they have fixed the problem and there’s no need for users to change their passwords. In an interview with Kerbs on Security, a Facebook engineer said:
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
The faulty password logging procedure dates back as far as 2012. Despite the fact there’s no evidence access was abused, at least 2,000 employees could run searches on the files and several employees conducted searches with unclear goals.
These events are the latest in a string of privacy scandals for the tech giant. In October last year, a hacker gained access to personal information on nearly 29 million accounts. Before that, an investigation found that 81,000 users’ direct messages were sold on the black market – not to mention the heat the social network has faced in regard to their data sharing practices.
In response, the company has announced a new ‘pivot to privacy’. However, this move has been met with significant skepticism from industry insiders and analysts.