Facebook Stored Hundreds of Millions of Passwords Accessible in Plaintext for Years

Illustration for article titled Facebook Stored Hundreds of Millions of Passwords Accessible in Plaintext for Years
Photo: Justin Sullivan (Getty)

Facebook stored hundreds of millions of account passwords in plaintext for years, the company admitted on Thursday following a report by cybersecurity reporter Brian Krebs. The passwords were accessible to over 20,000 Facebook employees, according to Krebs, raising the obvious risk that they could be improperly accessed.


“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” said Facebook’s Pedro Canahuati.

The plaintext passwords date back to 2012, according to Krebs.

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” said Canahuati.

There’s no explanation of why the mistake was made. Twitter and GitHub have made similar mistakes.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Facebook engineer Scott Renfro told Krebs. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”


As far as Facebook’s long list of scandals and incidents go, including a 2o18 incident impacting 50 million accounts, the bad storage of these password seems at first to be far from the worst.

There is, of course, risk to keeping hundreds of millions readable and more readily stolen. But there are still unanswered questions as Facebook said they used industry standard encryption technology (known as hashing and salting), but how all these passwords ended up sitting around in plain text for as long as seven years remains unknown.


At this point in Facebook’s investigation, no abuse seems to have happened, but it’s obvious that the inquiry is ongoing.

The best thing you can do to secure your Facebook account, and most of your important accounts, is to use a unique password for every online account you and enable two-factor authentication. You can also check your Facebook account for suspicious activity.


Reporter in Silicon Valley. Contact me: Email poneill@gizmodo.com, Signal +1-650-488-7247



This serves to teach that nothing should be trusted, but “enable two-factor authentication” for me it’s one more reason to not enable it, if the passwords were stored in plain text who guarantee that your phone numbers were encrypted?

If they were not, then these 20.000+ would have access to the phones and numbers, this can lead to a huge problem, other than accessing your account. In my country criminals gather name and phone of a person then the name of a relative, after that they call and say they kidnapped the relative requiring a payment to release, but they tell you to not hang the phone, so you can’t phone the person. Imagine if they even have the phone, “John, we kidnapped your daughter Jill, and don’t even try to call her on 99999-9999 because if you do we will kill her”

Best way to stay safe is to change passwords each month, and use a random generated one.