Facebook stored 600m user passwords in plain text exposed to 20k employees

Facebook stored 600m user passwords in plain text exposed to 20k employees

The company says it discovered the issue in January and there is no need to change passwords.

The social media giant Facebook has revealed that its internal data storage systems saved user passwords in plain text that could be accessed by employees. The social media said an ongoing investigation so far has revealed no sign that employees abused or accessed those passwords.

See: 773 million records with emails & plain text passwords leaked online

In a statement, Facebook said it identified the problem in January this year and that it took the necessary steps to resolve the issue. The company also said that there is no need for affected users to change their passwords but it will notify everyone whose password was stored in plain text format.

We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users, said Pedro Canahuati, Facebook’s VP Engineering, Security and Privacy in a blog post.

Although Facebook did not reveal the exact number of users who had their passwords exposed to its employees, according to Brian Krebs of  “Krebs on Security” the total number of affected users is between 200 million and 600 million Facebook users – This information was provided to Krebs by a senior Facebook employee on the basis of anonymity.

The worse part of this breach is that this data was accessible to more than 20,000 Facebook employees. It is noteworthy that as of December 2018, 35,587 people were employed by the social networking company, up from 150 people in 2006.

This, however, is not the first time when a social media giant has been caught storing user passwords in plain text. Last year, Twitter sent notifications to over 336 million users urging them to change their account password because a bug in its internal system saved user passwords on an unprotected internal log in plain text format.

As for Facebook, this incident is just another blow. Last year, a Facebook bug exposed private photos of 6.8 million users to third-party developers. The same year hackers exploited a vulnerability in Facebook’s ‘view as’ feature and stole personal data of over 50 million users.

Engin Kirda, co-founder and Chief Architect at Lastline, Northeastern professor, and director of the University’s Information Assurance Institute answered several questions addressing the breach:

Why is this a bad situation?

“This is not only a bad situation, but it is actually terrible. It is a major relapse of operational security practices. Storing passwords in clear text is a terrible idea because it would allow employees and potential attackers who steal this data to easily use these passwords and potentially log on to other, non-Facebook-related services as well because users often reuse passwords.”

A Facebook insider has said that access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords. Is this common practice? What should they have done instead?

“This is definitely not common practice. It is unclear to me why engineers would need clear text passwords of users. Since the ’70s, operating systems have always been designed in a way that does not require anyone to see clear text passwords. The queries might have actually had a technical reason, but it is definitely not a good security design.”

What are the potential implications for Facebook users in this situation?

“If this data leaks out, or a Facebook employee who has access to this data ends up becoming malicious, having this data lying around might lead to other, easy account compromises that are not directly hosted on Facebook.

Facebook has not found any signs of data misuse from these passwords being exposed. Now that it’s been made public, should Facebook users be more concerned that they could be targeted?

“Absolutely. This is terrible practice from an operational security point of view. All Facebook users should make sure that they are not reusing any Facebook password on another, unrelated account.”

Facebook has had many security-related issues being exposed. Should users be concerned about their digital safety?

“I personally have lost quite a bit of trust in Facebook’s ability and willingness to secure the privacy of its users. If a user uses their service, they should be careful about what information they share.”

See: Here is a list of top 25 worst passwords of 2018

Moreover, unknown hackers were found selling private messages of 81,000 hacked Facebook accounts for as low as 0 cents (8p). If you are using Facebook make sure to change your password ASAP. In case you wish you permanently delete your Facebook account follow this guide

Update (April 7th, 2019): 

Facebook is finally contacting victims with a message urging them to change their passwords. Here is a full preview of the message that Facebook has been sending users lately:

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts