Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Facebook Employees for Years Could See Millions of User Passwords in Plain Text
2,000 Facebook engineers or developers reportedly made some nine million internal queries for data elements with plain text passwords.
2 Min Read
An internal Facebook investigation has found between 200 million and 600 million of its users may have had their account passwords stored in plain text for years, meaning they could have been searched and accessed by more than 20,000 Facebook employees.
The issue was first reported by KrebsOnSecurity, which cites a senior Facebook employee familiar with the ongoing investigation saying archives have been found with unencrypted user passwords dating back to 2012. Investigators are still working to determine the total number of user passwords affected and length of time they were exposed.
Facebook reports the problem was detected in January during a routine security review, when it saw some passwords were being stored in readable format on internal data storage systems.
In a blog post, Pedro Canahuati, vice president of engineering, security and privacy at Facebook, says the company's login systems are designed to mask passwords using tactics that make them unreadable. He says the passwords were not visible to anyone outside Facebook and there is no evidence anyone within the company abused or improperly accessed passwords. Further, Facebook has fixed the issue and will notify people whose passwords were found unencrypted.
"We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users," Canahuati says. Because there's no indication passwords were exposed, users won't be required to change them.
The anonymous source who spoke with KrebsOnSecurity says Facebook access logs indicate about 2,000 engineers or developers made some nine million internal queries for data elements with plain text passwords. While there's no sign of abuse, it's still unclear why they did this.
Read more details here.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.
About the Author(s)
You May Also Like
More Insights
Webinars
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Events
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024
