Ride the Lightning

Hundreds of Millions of Facebook User Passwords Sat Exposed in Plain Text

March 25, 2019

CNET reported on March 21st that hundreds of millions of passwords were an open book on Facebook's internal servers. An internal investigation at Facebook in January found that all those passwords were stored in plain text, meaning it was possible for the social network's employees to easily find and potentially abuse the login credentials.

The company found "no evidence to date" that any staffers improperly accessed those passwords, Pedro Canahuati, Facebook's vice president of engineering, security and privacy, said in a blog post Thursday.

Facebook said it will be notifying hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users. The company said it first discovered the problem as part of a routine security review in January.

Facebook has more than 2.3 billion monthly users, and Instagram has more than 1 billion.

Security standards recommend that companies encrypt passwords when they store them, so that employees and potential attackers don't have access to a treasure trove of login credentials. Facebook said it hashes and encrypts passwords, but it's unclear how hundreds of millions of accounts had their passwords in plain text on internal company servers. It is still investigating the cause.

Facebook has company of course. Last May, Twitter advised 330 million users to change their passwords after discovering a bug that stored them in plain text on its internal logs. Github had a similar screw up revealed last May.

A lot of FB users have been rhetorically asking, "Can you remind me again why we're here?" Darn good question.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson