Facebook has discovered and now fixed a glitch that stored as many as 600 million passwords in plaintext within internal systems. Without the required encryption to protect sensitive information, the passwords were accessible by up to 20,000 employees and could even date as far back as 2012.
Although Facebook has since stated that it discovered the flaws back in January during a routine security review, security researcher Brian Krebs broke the news in an exposé. According to a “senior Facebook insider” speaking with Krebs, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords.”
Addressing the now-public information, Facebook’s vice-president for engineering, security and privacy, Pedro Canahuati assured that the platform had been conducting a thorough investigation into the matter and expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” For those unaware, Facebook Lite is a stripped-back version of the social media platform intended for countries where internet access is limited and infrastructures are poor.
“We have found no evidence to date that anyone internally abused or improperly accessed,” explains Canahuati. Furthermore, the passwords themselves “were never visible to anyone outside of Facebook,” minimalizing the risk posed by the mistake. The flaw has already been plugged, meaning that passwords will now be properly hashed in case data falls into the wrong hands.
The Information Commissioner’s Office has not imposed a fine upon the company for the mishap, but it has re-warned companies not to store passwords in plaintext. “Make sure you use a suitable hashing algorithm, or another mechanism that offers an equivalent level of protection against an attacker deriving the original password. You should also ensure that the architecture around your password system does not allow for any inadvertent leaking of passwords in plaintext,” concludes the government body.
KitGuru Says: Since data has been confirmed not to have been copied, it’s unlikely that any employee could remember 600 million passwords. Still, it’s not worth risking being that one they do, so we would always recommend swapping out your password for something new, and something potentially stronger.