Pierluigi Paganini March 21, 2019

News problems for Facebook that admitted to have stored the passwords of hundreds of millions of users in plain text.

Facebook revealed to have stored the passwords of hundreds of millions of users in plain text, including passwords of Facebook Lite, Facebook, and Instagram users.

“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.” reads the announcement published by Facebook.

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.”

The disconcerting discovery was made in January by Facebook IT staff as part of a routine security review. The passwords were stored in plain text on internal data storage systems, this means that they were accessible only by employees.

Facebook quickly fixed the issue and plans to notify the affected users.
Facebook estimated that hundreds of millions of people using Facebook Lite, tens of millions of other Facebook users, and tens of thousands of Instagram users are impacted.

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” continues Facebook.

“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,”

According to the popular investigator Brian Krebs that is investigating the incident, hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees. Krebs date some cases back to 2012, anyway he did not find an indication that employees have abused access to this data.

Krebs believes that the passwords of between 200 million and 600 million Facebook users may have been stored in plain text, and that over 20,000 Facebook employees may have been able to search those passwords.

Krebs cited a senior Facebook employee, who is familiar with the investigation and who spoke on condition of anonymity, that revealed the company is currently investigating a series of incidents regarding employees who built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.

According to Krebs, who cited its informer, access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

Even if no passwords were exposed outside the company, Facebook suggests the following steps to secure users’ accounts:

• You can change your password in your settings on Facebook and Instagram. Avoid reusing passwords across different services.
• Pick strong and complex passwords for all your accounts. Password manager apps can help.
• Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you.

Pierluigi Paganini

(SecurityAffairs – Facebook passwords, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]