Facebook stored hundreds of millions of user passwords in plain text
Plain text passwords were stored on the company's servers and searchable by employees
A new report from Krebs On Security has revealed that Facebook stored the account passwords of hundreds of millions of users in plain text and they were easily searchable by thousands of its own employees in some cases going back to 2012.
According to a senior employee familiar with the investigation, the social networking giant is currently probing a series of security failures in which employees wrote applications that logged unencrypted password data for Facebook users and stored this information in plain text on internal company servers.
So far, the investigation has discovered that between 200m and 600m Facebook users may have had their account passwords stored on its servers and searchable by over 20,000 employees.
- Facebook slammed by UK government
- Facebook paid users to install a VPN that spies on them
- Facebook reaching fifteen – a stark reminder of the value of data
The company is still trying to determine exactly how many passwords were exposed and for how long but archives with plain text user passwords have been discovered that date back to 2012.
Plain text passwords
Access logs at Facebook show that around 2,000 engineers or developers made nine million internal queries for data elements that contained plain text user passwords.
Software engineer at Facebook, Scott Renfro provided further insight into the ongoing investigation to Krebs On Security in an interview, saying:
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Affected users will not have to change their passwords as they were not leaked outside of the company, though Facebook is preparing to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”.
- We've also highlighted the best VPN
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.