Facebook admits storing millions of passwords in readable format

By Xite - March 22, 2019
In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them. Facebook did not find any evidence of password abuse.

Social media giant Facebook stored millions of passwords of users in plain readable text for years, making them vulnerable to hackers or anyone for who would have internal access to the files.

The passwords are generally protected with encryption technique called as hashing, but according to Krebs on Security, a vulnerability in few of the Facebook-branded apps left passwords accessible to over 20,000 company employees.

According to the security firm, between 200 million and 600 million Facebook users are believed to have been affected. The social media giant has also confirmed the issue in a blog post, saying that the problem was identified in January as part of a security review. The company says that the issue has now been fixed and will notify everyone affected.

‘We found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,’ Facebook said in a blog post.

According to Facebook, there’s no proof that the vulnerable passwords were exposed or abused outside of the company.

‘To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity,’ added Facebook.

While there is no evidence of abuse, however, at least 2,000 Facebook employees searched through the files containing passwords. The reason not being clear still, the security firm Krebs and Security reported.

This stored password vulnerability comes latest in a series of bad issues surrounding Facebook. Earlier, a hacker stole login tokens that gave him access to personal information of almost 29 million accounts.

We also spoke to Paul Ducklin, Senior Technologist, Sophos and here is what Ducklin thinks:

Should I change my Facebook password?

Sophos: Why not? It's perfectly possible that no passwords at all fell into the hands of any crooks as a result of this. But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused. Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.

So, our advice is: change your password now.

Q. Should I turn on two-factor authentication?

Sophos: Yes, turn on two-factor authentication (2FA) now. We've been urging you to do use two-factor authentication everywhere you can anyway - it means that a password alone isn't enough for crooks to raid your account.

If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.

Q. Should I close my Facebook account?

Sophos: We can't answer that for you. Given that the wrongly-stored passwords weren't easily accessible in one database, or deliberately stored for routine use during logins, we don't think this breach alone is enough reason to terminate your account. On the other hand, it's a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step. In short, you have to decide for yourself. (If it helps you decide, we're not closing our accounts.)

  • Tags
  • Facebook
  • Social Media