Facebook is under fire yet again — and this time, it’s for leaving hundreds of millions of user passwords unprotected. Security researcher Brian Krebs reports that a company oversight left up to 600 million exposed because they were stored in plain text. Leaving the passwords in plain text format means that the information was readable and searchable among 20,000 Facebook employees.
Storing passwords in plain text is a huge security risk for anybody — and when you’ve got 20,000 employees with access to an unprotected password storage bank, things can really start to look grim. According to the report, the plain text password issue could affect users of Facebook, Facebook Lite and Instagram –and in some cases, the password information dates as far back as 2012. While Facebook has gotten into an awful lot of trouble lately for selling data and violating user privacy, this is an issue that could have been entirely avoided — had the proper security precautions been taken.
Facebook officials say that they first became aware of this major security flaw back in January. As of March, the company was still working on notifying all users whose information had been compromised. According to Facebook, there is no evidence that the plain text password information has been abused or wrongly accessed.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company said in a statement.
Facebook software engineer Scott Renfro told Krebs, of Krebs On Security, that the passwords were “inadvertently logged” but that there is “no actual risk.” Because of the “low risk,” Facebook said it was not requiring any users to reset their passwords.
“We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse,” Renfro said.
After accidentally exposing 600 million passwords, you’d think Facebook would at least suggest users update their passwords for safety. But Big Tech seems to think itself invincible. While the folks at Facebook say there is no “evidence” that the passwords have been abused, the fact remains that they were indeed vulnerable.
The report from Krebs reveals that the plain text passwords were linked to nine million internal searches conducted by 2,000 engineers. According to Krebs, this “bug” dates all the way back to 2012 — and Facebook only just discovered it in January 2019.
The truth about whether or not these passwords have been compromised may not come out until they’re found on the dark web. Facebook claims there is no evidence the passwords were “internally abused,” but the problem is that they were negligent — they failed to employ basic security measures that even the smallest companies know to use.
Facebook has gotten a lot of much-deserved criticism for how reckless they’ve been with user data and privacy. The selling of user data has been a particularly sore spot for the social media company, and the company has faced repeated investigations for their behavior. While Facebook executives wax poetic about how important protecting user information is to them, their actions speak differently.
See more coverage of the latest controversies in tech at Glitch.news.
Sources for this article include: