Facebook Stashed Hundreds of Millions of Unencrypted Passwords in Plain Text... For Years
Social media behemoth stands accused of storing account details, even passwords of its users in a plain-text database that was accessible and searchable by its employees. It was emerged through a report from KrebsOnSecurity that claims this went back as far as 2012.
According to the report, “Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plan text on internal company servers.” KrebsOnSecurity is reporting on the matter citing a “senior Facebook employee who is familiar with the investigation, and who spoke on the condition of anonymity because they were not authorized to speak to the press.”
According to that source, “between 200-million and 600-million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.”
“The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012,” according to KrebsOnSecurity.
The report continued to detail that their “Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine-million internal queries for data elements that contained plan text user passwords.”
One person that did go on the record, Scott Renfro, a software engineer at Facebook said “we’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data.”
Renfro continued to explain that: “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
KrebsOnSecurity says that “[in] a written statement from Facebook, the company expects to notify ‘hundreds of millions of Facebook lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” For those unaware, Facebook Lite is a version of Facebook specifically designed for users with poor hardware and connection speeds.
According to the report, this issue first arose in January of 2019, when new pieces of code alerted security engineers at Facebook that passwords were inadvertently being recorded in a plain-text, unencrypted format. This is problematic for a number of reasons, namely the fact that the passwords were not protected within the system, and that any number of up to 20,000 Facebook employees could potentially access the database.
Facebook strongly rejects this, however. In a recently issued public statement Facebook assured its users that “we have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found stored in this way.”
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”