Facebook stored hundreds of millions of account passwords in plaintext for years, the company admitted on Thursday following a report by cybersecurity reporter Brian Krebs. The passwords were accessible to over 20,000 Facebook employees, according to Krebs, raising the obvious risk that they could be improperly accessed.
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” said Facebook’s Pedro Canahuati.
The plaintext passwords date back to 2012, according to Krebs.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” said Canahuati.
There’s no explanation of why the mistake was made. Twitter and GitHub have made similar mistakes.
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Facebook engineer Scott Renfro told Krebs. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
As far as Facebook’s long list of scandals and incidents go, including a 2o18 incident impacting 50 million accounts, the bad storage of these password seems at first to be far from the worst.
There is, of course, risk to keeping hundreds of millions readable and more readily stolen. But there are still unanswered questions as Facebook said they used industry standard encryption technology (known as hashing and salting), but how all these passwords ended up sitting around in plain text for as long as seven years remains unknown.
At this point in Facebook’s investigation, no abuse seems to have happened, but it’s obvious that the inquiry is ongoing.
The best thing you can do to secure your Facebook account, and most of your important accounts, is to use a unique password for every online account you and enable two-factor authentication. You can also check your Facebook account for suspicious activity.