Facebook has admitted to storing ‘hundreds of millions’ of account passwords in plaintext

facebook has admitted to storing hundreds of millions of account passwords in plaintext

You would think Facebook has your account security as one of its main priorities, right? Well, you might want to reconsider that because Facebook’s “days since last security incident” meter has been reset. On Thursday in a blog post, Facebook confirmed that it stored “hundreds of millions” of account passwords in plaintext for many years. The company confirmed a report by cybersecurity reporter Brian Krebs, where he stated Facebook storing plaintext passwords.

Facebook’s Pedro Canahuati said the discovery was made in January during a routine security review. To try and calm the anger, he added that the passwords were not visible to anyone outside Facebook, and admitted the security relapse months later, after Krebs said the logs were accessible to around 2,000 Facebook engineers and developers. In other words, millions of passwords were readily available to be seen by Facebook engineers and developers, but were not publicly available to the masses. Krebs added that the bug dated back to 2012, so it could have been potentially abused over many years.

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” said Canahuati. “We have found no evidence to date that anyone internally abused or improperly accessed them,” but fell short in providing confirmation on how the company came to the conclusion that it wasn’t abused or improperly accesses.

It’s not just the main Facebook platform that suffered from this bug. Facebook said that “tens of thousands of Instagram users” will be notified of this exposure as well as “hundreds of millions of Facebook Lite user,” leading everyone to understand that Instagram and Facebook Lite users were affected. Facebook Lite is the lighter version of the platform for users where internet speeds are slow and bandwidth is expensive to afford.

This approach to storing passwords from Facebook is quite puzzling, to say the least. Companies typically hash and salt passwords — two ways of further scrambling passwords — to store everything securely. These methods allow companies to verify a user’s password without knowing what the password is. Krebs said that around 600 million users could have been affected by this bug, which is about one-fifth of the company’s 2.7 billion users total. Facebook hasn’t so far confirmed the total number of users affected.

Hamza Khalid

Hamza Khalid is the Lead Editor at The Jolt Journal. You're more than welcome to follow him on Twitter and follow The Jolt Journal on Twitter and Facebook. If you have any questions, concerns, or need to report something in this article, please send our team an email at [email protected]. This story may be updated at any time if new information surfaces.

At The Jolt Journal, no one tells us what to write or how to write it. This is why, in the era of lies and bias, readers turn to an independent source. Rest assured, all information on our website is free of any bias or influence. If you see anything wrong with a story, please don't hesitate to reach out. We do our very best to report on the latest available information.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.