- Facebook admits to having been storing passwords of millions in readable form for years.
- An internal investigation shows that many millions of users are affected, possibly up to 20%.
- Facebook claims that the passwords have not been misused and that there’s no indication of abuse.
Facebook admits that some of its users’ passwords were being stored in a readable format for years, through a post in their newsroom. According to the official report, no one could access these passwords except their internal teams, and they have found no evidence that any of their employees have abused this access. The users who are affected are not specified in numbers, but there’s an indication of the scale, with the company estimating to send notifications to hundreds of millions of Facebook Lite users, tens of millions of regular Facebook users, and tens of thousands of Instagram users.
According to a KrebsOnSecurity report that surfaced a couple of days back, their internal Facebook sources indicate that the accounts that were insecure date back to 2012, are between 200 and 600 million (20% of the total user base), and were accessible by more than 20000 Facebook employees! No matter how in-depth the internal investigation goes, there’s no way to assure that none of these people misused the unsecured user passwords, sold them to someone else, etc. The same sources claim that the analysis of the access logs reveals that around 2000 engineers made 9 million queries for data elements that contain plain text user password.
Facebook’s legal team wants to lower the number of the affected accounts as much as possible, but the damage has already been done, and the platform has once again shown to the world (and the regulatory organizations) how irresponsible they are when it comes to managing sensitive user data. Maintaining access to plaintext passwords of millions, for over seven years, to more than 20000 employees is not just a matter of an accidental misconfiguration. If Facebook realized this during an internal investigation, how long has it been since the previous investigation of this type? Of course, Facebook chooses to focus elsewhere on their newsroom post, dedicating most of it on how they secure the other 80% of their userbase.
Automated suspicious activity detection systems, alerts about unrecognized logins, and the support to register biometric login or USB keys are increasing the level of security for Facebook users nowadays. However, those who had their accounts affected must immediately reset their password from within the platform’s settings, avoid using the same password on multiple websites, use a password manager, and enable two-factor authentication. No matter how unreliable Facebook maybe, if you are opting to stay on this social media, you should make sure that you’re doing the best you can from your part, and hope that Facebook does a better job in the future.