You would think Facebook has your account security as one of its main priorities, right? Well, you might want to reconsider that because Facebook’s “days since last security incident” meter has been reset. On Thursday in a blog post, Facebook confirmed that it stored “hundreds of millions” of account passwords in plaintext for many years. The company confirmed a report by cybersecurity reporter Brian Krebs, where he stated Facebook storing plaintext passwords.
Facebook’s Pedro Canahuati said the discovery was made in January during a routine security review. To try and calm the anger, he added that the passwords were not visible to anyone outside Facebook, and admitted the security relapse months later, after Krebs said the logs were accessible to around 2,000 Facebook engineers and developers. In other words, millions of passwords were readily available to be seen by Facebook engineers and developers, but were not publicly available to the masses. Krebs added that the bug dated back to 2012, so it could have been potentially abused over many years.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” said Canahuati. “We have found no evidence to date that anyone internally abused or improperly accessed them,” but fell short in providing confirmation on how the company came to the conclusion that it wasn’t abused or improperly accesses.
It’s not just the main Facebook platform that suffered from this bug. Facebook said that “tens of thousands of Instagram users” will be notified of this exposure as well as “hundreds of millions of Facebook Lite user,” leading everyone to understand that Instagram and Facebook Lite users were affected. Facebook Lite is the lighter version of the platform for users where internet speeds are slow and bandwidth is expensive to afford.
This approach to storing passwords from Facebook is quite puzzling, to say the least. Companies typically hash and salt passwords — two ways of further scrambling passwords — to store everything securely. These methods allow companies to verify a user’s password without knowing what the password is. Krebs said that around 600 million users could have been affected by this bug, which is about one-fifth of the company’s 2.7 billion users total. Facebook hasn’t so far confirmed the total number of users affected.