Facebook Facepalm: Up To 600 Million User Passwords Were Stored In Plain Text

Facebook just can’t seem to keep its nose clean with respect to security and user privacy. The latest blunder was first reported on by KrebsonSecurity, which discovered that the social networking giant was storing user account passwords in plain text instead of hashing them.

What’s more troubling about this discovery is that the passwords were readably accessible by Facebook employees, affecting accounts dating back to 2012. In total, over 20,000 Facebook employees had searchable access to the passwords, and the plain text folly affected between 200 million to 600 million users in total.

Brian Krebs also dropped this interesting nugget in his blog post on the latest security flub at Facebook. “My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.”

For its part, Facebook has penned a new blog post, entitled “Keeping Passwords Secure,” that addresses the matter directly. The first thing that caught our attention is found right in the first sentence of the blog post. While KrebsonSecurity only caught wind of the plain text “fail” recently, Facebook actually learned about it in January “as part of a routine security review.”

facebook twitter icon

The company goes on to state that it has “fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.” The company adds, “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”

It’d be interesting to know whether or not we would have even heard about this incident had it not been brought to the public’s attention. It doesn’t seem likely that it would have taken Facebook two months to come up with a mechanism for alerting is users to the potential security/privacy violations. It’s especially troubling that it took Facebook this long to publicly react given the amount of scrutiny it is currently under by U.S. regulators.

According to Facebook, there is no evidence that passwords were made accessible to anyone outside of the company. Facebook also contends that access to the passwords stored in plain text was not abused internally.

“There is nothing more important to us than protecting people’s information,” Facebook writes. “We will continue making improvements as part of our ongoing security efforts at Facebook.”