A cybersecurity expert has broken a story on a major data breach (of trust) by Facebook, forcing the company to respond.
Already under fire for its questionable ethics concerning user data, the social media giant has had to acknowledge that, yes, hundreds of millions of Facebook users’ passwords were stored in a plain text file that was searchable by thousands of Facebook’s employees.
Cybersecurity journalist Brian Krebs broke the story earlier today.
Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.
The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012.
My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
So far, Facebook is confident that this data was not used inappropriately by any employee who had access. However, the company also said that they were concerned because their password system was built to mask passwords specifically to prevent it.
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
The scandal is the latest in a series of user data violations that have rocked the company since at least 2016. The use of data during the 2016 campaign raised several flags for politicians on both sides of the aisle, forcing Facebook founder Mark Zuckerberg to come before Congress and explain his company’s actions to them.
Facebook’s press release is also nothing short of a slap in the face to users. They will “notify” those affected, but they have not yet stated whether or not they will force a password change. There is no way they have had enough time to investigate and vet every single employee who had access to this document, but they are pretty sure everything’s okay. That’s insane.
There is no other way to put it: This is a dangerous situation for Facebook and Instagram users. That level of exposure in the wrong hands could cause major security issues across the entire Internet – not just Facebook. The average person, despite warnings, uses the same password for multiple sites, including sites where they have credit card and bank information stored so they can order things online.
How Facebook has survived its scandals before is beyond me, but this is the kind of thing that should bring in outside investigators. If nothing else, the level of hubris in not checking to make sure this kind of thing never happened is why Facebook is currently in the trouble it’s in. It has spent so much time on top of the mountain that it never worried about the climb it took to get there.
As a result, repeated misstep after misstep has forced the company to admit to things that should horrify the general public. This story, in particular, had better prompt other companies to learn from Facebook and 1) check their systems for this kind of issue and 2) make sure their systems don’t contain any other kind of breach.
At this point, it may seem safer to go back to MySpace, whose only recent scandal involves a server transfer that thankfully deleted photos of me from high school.
I forgot my password so I haven’t checked.