Facebook acknowledges stored plain text user passwords were visible to employees
Facebook has never been short of controversies when it comes to privacy and security. In yet another security slip, the social media giant on Thursday admitted that the company had stored millions of passwords in plain text on its internal servers for years after a security researcher exposed the issue online.
According to a report by security researcher of KrebsOnSecurity, passwords of approximately 200 million to 600 million Facebook users may have been stored in plain text on internal company servers rendering them searchable to as many as 20,000 company employees.
However, Facebook says there is no evidence till date that anyone within the company has abused or improperly accessed the plain text user passwords. The slip up was discovered during a routine security review early this year.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy wrote in a statement. “Our login systems are designed to mask passwords using techniques that make them unreadable. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”
Citing an unnamed senior Facebook employee familiar with the investigation, KrebsOnSecurity said that at least 2,000 Facebook employees have made approximately nine million internal queries for data elements that contained plain text user passwords. However, it is not known for what purpose.
Apparently, Facebook employees built applications that logged unencrypted password data that in turn exposed the passwords. While the company is still trying to determine how many passwords were exposed and for how long, the archives found with unencrypted user passwords point logging to as early as the year 2012.
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
The issue is likely to have affected “hundreds of millions” of Facebook Lite users, millions of Facebook users and tens of thousands of Instagram users whose passwords may have been exposed.
In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said that the company has plans to notify affected Facebook users. However, the company has no plans to reset those users’ passwords.
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
Canahuati says that the company in the course of their review has been looking at the ways it stores certain other categories of information, such as access tokens, are stored, and fixing problems as they are found.
“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” says Canahuati.
For those Facebook and Instagram users who are concerned about their account security, the company recommends them to change their passwords, or use unique, strong and complex passwords for all accounts on different sites, or enable a security key or two-factor authentication.