Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/21/2019
02:45 PM
100%
0%

Facebook Employees for Years Could See Millions of User Passwords in Plain Text

2,000 Facebook engineers or developers reportedly made some nine million internal queries for data elements with plain text passwords.

An internal Facebook investigation has found between 200 million and 600 million of its users may have had their account passwords stored in plain text for years, meaning they could have been searched and accessed by more than 20,000 Facebook employees.

The issue was first reported by KrebsOnSecurity, which cites a senior Facebook employee familiar with the ongoing investigation saying archives have been found with unencrypted user passwords dating back to 2012. Investigators are still working to determine the total number of user passwords affected and length of time they were exposed.

Facebook reports the problem was detected in January during a routine security review, when it saw some passwords were being stored in readable format on internal data storage systems.

In a blog post, Pedro Canahuati, vice president of engineering, security and privacy at Facebook, says the company's login systems are designed to mask passwords using tactics that make them unreadable. He says the passwords were not visible to anyone outside Facebook and there is no evidence anyone within the company abused or improperly accessed passwords. Further, Facebook has fixed the issue and will notify people whose passwords were found unencrypted.

"We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users," Canahuati says. Because there's no indication passwords were exposed, users won't be required to change them.

The anonymous source who spoke with KrebsOnSecurity says Facebook access logs indicate about 2,000 engineers or developers made some nine million internal queries for data elements with plain text passwords. While there's no sign of abuse, it's still unclear why they did this.

Read more details here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/22/2019 | 7:46:47 AM
This is the cloud
FB as discussed is a perfect illustration of the danger of cloud apps.  I have long felt that the simple view of this platform is as a enormously huge long RJ-45 cable from your system-network over the internet to another server (data center) somewhere else in the world with someone else's hands on keyboard(s) doing god knows what with your data.  There is no pure 'cloud' per se - data has to be stored and running on a system somewhere.  (Corporations love it because they can shutter that expensive data center room and fire staff to make a new coffee lounge).   So I am not surprised that FB had access to private data.  Gee, imagine that.  And if they can see it in plain text, who ELSE can see or have access to such data.  Hmmmmmm

Second thought - kinda makes secure passwords seem silly, doesn't it!!!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/22/2019 | 10:18:34 AM
Re: This is the cloud
Very much agree with your parable. There is no reason the fact of FB having private data should be a surprise to anyone. "Secure Password" also feels like an oxymoron simply put, passwords are the least secure means of authenticating. (Outside of NOT having a password of course)
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
3/22/2019 | 10:25:44 AM
Re: This is the cloud - on secure passwords
One of my managers once thought of a unique password, particularly if someone may be shoulder watching your screen: ********    True.  Another user had just "guess: as a password and that drove me crazy fo 2 minutes when troubleshooting
KevinStanley
50%
50%
KevinStanley,
User Rank: Apprentice
3/25/2019 | 12:56:06 PM
Re: This is the cloud
Absolutely. 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/27/2019 | 9:57:56 AM
Re: This is the cloud
Just had to change my password for this forum and used the most memory-sound but complex one I could make up.  
CharlieDoesThings
50%
50%
CharlieDoesThings,
User Rank: Apprentice
3/27/2019 | 4:00:03 PM
Re: This is the cloud
That's right. I bet the majority of social media use similar password storage solutions or at least have used until this thing with facebook blew up. Just to be on the safe side, always use different passwords everywhere.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
CVE-2020-5242
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
CVE-2020-8601
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.