UPDATED 16:13 EST / MARCH 21 2019

SECURITY

Oops: Facebook kept up to 600M users’ passwords in plain text for years

A series of technical mishaps led Facebook Inc. to store the passwords to hundreds of millions of user accounts in unencrypted plain text, it was revealed today.

The social networking giant acknowledged the snafu this morning following an exposé by cybersecurity journalist Brian Krebs. According to an unnamed “senior Facebook employee” who spoke with Krebs, the issue is believed to have affected anywhere from 200 million to 600 million people. That amounts to roughly a fifth of the company’s global user base when looking at the high end of the estimate.

Pedro Canahuati, Facebook’s vice president of security and privacy engineering, offered some more details on the incident in a blog post. The executive indicated that most of the affected people are users of the Facebook Lite, a version of the social network geared toward regions with unreliable internet connectivity.

“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” Canahuati wrote. He added that the company has fixed the technical issues that exposed the data.

Facebook didn’t find any evidence to suggest the plain-text credentials were misused. The passwords were accessible to only about 2,000 of the company’s engineers and developers, according to the insider who spoke with Krebs. An internal investigation reportedly found that files containing plain-text passwords were queried approximately 9 million times by employees.

Besides the sheer number of user credentials involved, it’s also alarming how long it took Facebook to respond. Canahuati wrote that the company discovered the plain-text passwords in January, more than six years after the issue reportedly first emerged.

The news is already raising fresh questions about Facebook’s handling of user data as it still deals with the fallout from earlier security and privacy controversies.

“This is simple server administration,” Sherban Naum, senior vice president for corporate strategy and technology at the cybersecurity firm Bromium Inc., said in an email to SiliconANGLE. “Events like this are contradictory to the basics of IT security best practices, which Facebook, with its plentiful resources and technical expertise, should be more than capable of achieving.”

In October, the company disclosed that hackers had compromised the accounts of 30 million users. More recently, Facebook has come under fire for striking data-sharing deals with other tech companies and running user studies that required participants to share extensive information about their online habits.

The incident is also a reminder to users to be careful about passwords for all their accounts, not just Facebook. “For the safety of your account, it is highly recommended that you change your password periodically and not use the same password across all accounts,” Yuval Ben-Itzhak, chief executive of the social media marketing platform Socialbakers, told SiliconANGLE.

With reporting from Robert Hof

Photo: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU