Career Moves

Facebook stored hundreds of millions of user passwords in plain text

Read time 3min 20sec
Another security issue for Facebook.
Another security issue for Facebook.

Facebook is in hot water again, after it was revealed it stored passwords for hundreds of millions of users in plain text, searchable to as many as 20 000 employees who had internal access to the files.

According to Krebs on Security, who first noticed the flaw, some cases go back as far as 2012, and between 200 million and 600 million Facebook users are believed to have been affected.

Facebook says there is no evidence that plain text passwords were exposed outside of itself, or that any were abused by employees. However, it admitted the issue has affected "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users".

Despite there being no evidence of abuse, at least 2 000 Facebook staff searched through the files containing passwords, although nobody knows specifically what for.

In a blog post, Pedro Canahuati, VP Engineering, Security and Privacy at Facebook said the company discovered this flaw as part of a routine security review in January.

When dealing with large technology companies, be prepared to understand that they know everything about you. Ilia Kolochenko, High-Tech Bridge

"This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."

He added that during the course of the review, Facebook had been scrutinising the ways it stored certain other categories of information, such as access tokens, and has fixed problems as it has discovered them.

Protecting users

"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook," he adds.

ITWeb Security Summit 2019

Security Summit 2019 has secured eight international keynote speakers to discuss the latest trends and threats facing SA's security community. We have Graham Cluley, an independent computer security expert and public speaker, Ofir Hason, CEO & co-founder, of CyberGym in Israel, and Pete Herzog, MD of The Institute for Security and Open Methodologies (ISECOM) in Spain and many more. To find out more and to register, click here.

He says Facebook masks users' passwords when they create an account so that no one at the the social network can see them. This is called 'hashing' and 'salting' the passwords, and includes using a function called "scrypt" as well as a cryptographic key that lets Facebook irreversibly replace the actual password with a random set of characters.

"With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text," he adds.

However, Facebook has been beleaguered by security and improper data sharing issues. Towards the end of last year, an attacker stole access tokens for 30 million accounts, enabling them to gain complete access to the profiles. Earlier in the year, the BBC reported that hacked private messages from 81 000 users were found up for sale online.

And let's not forget the scandal in early 2018, when it was revealed that Cambridge Analytica harvested the personal data of millions of Facebook profiles without their consent and used it for political purposes.

Shadow data

Ilia Kolochenko, CEO of Web security company High-Tech Bridge, says this sort of incident is fairly widespread in large technology companies.

"The problem is that shadow data and its usage are virtually uncontrollable, and even now it would be premature to conclude that the [Facebook] issue is fully remediated - numerous backups, including custom backups made by employees, may still exist in different and unknown locations.

"When dealing with large technology companies, be prepared to understand that they know everything about you and [internally] may handle this data differently from what their policy or terms of services say," he warns.

Login with