In yet another devastating privacy blunder, Facebook has admitted that it inadvertently stored user passwords in plaintext, searchable by employees.
Between 200m and 600m passwords belonging to Facebook’s 2.3bn user population were stored in readable format within its internal system that employees could access.
It is understood that the passwords were accessible to as many as 20,000 Facebook employees and date back as early as 2012. The vulnerability affects hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users. Lite is a version of Facebook designed for low-speed connections and low-spec mobile phones.
‘As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems’
– PEDRO CANAHUATI
According to infosec blog Krebs on Security, Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plaintext on internal company servers.
The blog cited a senior Facebook employee who said access logs showed 2,000 engineers or developers made approximately 9m internal queries for data elements that contained plaintext user passwords.
Facebook said that an ongoing investigation has so far found no indication that employees have abused access to this data.
Another privacy scandal
Once again, the social network has been plunged into another privacy scandal, just a year after the Cambridge Analytica debacle as well as two high-profile breaches in 2018, one of which has prompted an investigation by Ireland’s Data Protection Commissioner under GDPR rules.
A quote contained in the Krebs report makes for uncomfortable reading. “The longer we go into this analysis, the more comfortable the legal people [at Facebook] are going with the lower bounds of affected users,” the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
In a statement, Facebook, as usual, downplayed the situation.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” said Pedro Canahuati, vice-president of security and privacy engineering at Facebook.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users.”
Canahuati added: “In the course of our review, we have been looking at the ways we store certain other categories of information – like access tokens – and have fixed problems as we’ve discovered them. There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.”
He said that Facebook masks people’s passwords when they create an account and uses signals to detect suspicious activity. He added that “people can also sign up to receive alerts about unrecognised logins” and that Facebook has also introduced the ability to register a physical security key such as a USB thumb drive. “This measure is particularly critical for high-risk users including journalists, activists, political campaigns and public figures.
Canahuati said that while no passwords were exposed externally and Facebook found no evidence of abuse “to date”, people can still change their passwords, pick strong and complex passwords, and enable two-factor authentication.
However, Facebook needs to wake up. Hundreds of millions of users’ passwords were left vulnerable on its systems for employees to access. How on Earth is that supposed to be reassuring to the billions of people whose trust in the social network has already been shaken to the core by events of the past year?
Glibly suggesting people change their passwords or take more elaborate security measures is a little condescending, especially after the fact that the horse has bolted.
Facebook, your users and your community deserve better.