Facebook Stored User Passwords in Plain Text for Years!
Facebook had for years stored hundreds of millions of user passwords in plain text, according to a recent report.
Brian Krebs has, through his website KrebsOnSecurity, made this rather startling revelation. Krebs says, in a report dated 21 March 2019, “Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned.”
He clarifies that according to an ongoing investigation at Facebook, there are no indications so far that any employee has abused access to such data.
Facebook has begun investigating a series of security failures relating to employees building applications to log unencrypted password data, which were then stored on internal company servers, in plain text. KrebsOnSecurity has revealed this based on some senior Facebook employee, who had spoken on condition of anonymity.
Quoting the anonymous Facebook source, Krebs writes that the Facebook probe has revealed that Facebook might have stored passwords of at least 200 to 600 million users in plain text, which was searchable by over 20,000 Facebook employees.
“The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012,” says Brian Krebs.
He adds, “My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.”
Facebook reportedly planned to alert affected users, but at the same time has clarified that the users wouldn’t have to reset their passwords.
KrebsOnSecurity quotes Facebook software engineer Scott Renfro as saying, “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
KrebsOnSecurity has reportedly got a written statement from Facebook saying that the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
It was reportedly in January 2019 that the issue was detected, when some security engineers reviewing some new code found passwords inadvertently logged in plain text. This prompted a probe and also prompted Facebook to think of working out changes so as to prevent such issues in the future.
Brian Krebs points out that such incidents of user passwords being logged in plain text happened at Twitter and Github too, but the number of people within those organizations to whom these were available was relatively small and the period of time for which the plain text passwords were available was also shorter.
Julia Sowells958 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.