You would think that Facebook really takes care of the security of its users’ passwords; you are wrong. It has been revealed recently that Facebook was accidentally storing hundreds of millions of passwords on the internal company servers as unmasked plain text since 2012.
Pedro Canahauti, Facebook’s vice president of Engineering, Security, and Privacy, has admitted that during a security review in January 2019, the company discovered that ‘some user passwords’ were being stored internally by Facebook in unmakes plain text. Canahuati said, ‘This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues, and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way.’
What caused this debacle to take place? Passwords are generally encrypted by making use of hashing – scrambling the readable text into gibberish. The software engineers built applications on their platform that had errors and ended up recording the unmasked and readable passwords without hashing them.
The issue was first flagged by Krebs on Security. According to reports, anywhere between 200 million to 600 million Facebook users had their passwords exposed. Facebook has admitted that the passwords are hundreds of millions for Facebook Lite users, tens of millions for regular Facebook users, and tens of thousands of Instagram users. However, Canahauti said, ‘these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them.’
Simply put, these passwords were available to more than 20,000 Facebook employees that enjoy access to the company’s internal server. Regardless of the intentions of the employees, that is excess control that a Facebook employee has over the privacy and security of the user. According to an anonymous source at Facebook, ‘access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.’
However, software engineer Scott Renfro at Facebook said, ‘We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.’
Facebook has approximately 2.5 billion active monthly users thus putting the affected users at a percentage between 8 and 24. 8-24% of Facebook’s active monthly users had their passwords just sitting there on the company’s internal server. The fact that these unmasked and un-hashed passwords have not been detected early raises some serious questions about how the quality assurance team at Facebook is conducting its job.
We are sure that Facebook will provide a more detailed explanation soon but let’s face it; the company has already had a tough year, and we are not sure if many would be willing to take the company’s word for it!