In the latest addition to the pile of security- and privacy-related issues plaguing Facebook, account passwords for hundreds of millions of users were stored on the company’s internal servers in plain text.
The only good news: Facebook claims that no one outside of the company had access to the information, and it has not found evidence of anyone inside the company improperly accessing or exploiting the passwords in any way.
Internet security expert Brian Krebs revealed in a blog post Thursday morning that a Facebook source told him that the account passwords of between 200 million and 600 million users may have been stored in plain text, accessible and searchable by over 20,000 employees of the social network dating as far back as 2012.
According to Krebs’ Facebook source, internal access logs showed that 2,000 engineers or developers made some 9 million internal queries for data elements containing those plain text passwords.
“This is simple server administration,” said Sherban Naum, svp for corporate strategy and technology at cybersecurity company Bromium. “Password data is a lucrative source for cybercriminals willing to pay for that information. Events like this are contradictory to the basics of IT security best practices, which Facebook—with its plentiful resources and technical expertise—should be more than capable of achieving.”
Facebook vp of engineering, security and privacy Pedro Canahuati confirmed the issue in a Newsroom post later on Thursday. He said the social network estimates tens of millions of Facebook users, tens of thousands of Instagram users and hundreds of millions of users of Facebook Lite—the slimmed-down Android application for users with poor connectivity and/or older devices—were affected and will be notified.
Prior to the social network’s response, Facebook software engineer Scott Renfro spoke with Krebs, saying that affected users would be alerted, but password resets were not necessary.
“What we’ve found is that these passwords were inadvertently logged, but that there was no actual risk that’s come from this,” Renfro told Krebs. “We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
Canahuati said Facebook will continue to review its security efforts, including the ways it stores other data, such as access tokens, fixing issues as it discovers them.
The current issue was discovered as part of a routine security review in January and has since been corrected.
Renfro told Krebs, “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward.”
Gartner analyst Avivah Litan said, “I don’t know why anyone uses Facebook, frankly. It’s just a dangerous place if you value your privacy. I haven’t seen passwords stored in clear text in years. There are so many systems for hashing and encrypting. [Facebook is] much better at advertising algorithms than it is at security.”
Facebook said that when accounts are created, their passwords are “hashed” and “salted” via a function known as “scrypt,” as well as a cryptographic key that replaces the actual characters that make up the passwords with sets of random characters. This enables the social network to validate logins without having to store passwords in plain text.
Canahuati added that Facebook uses several signals to detect suspicious activity, including asking additional verification questions when passwords are entered properly but from unrecognized devices or unusual locations.
“I don’t think that consumers will delete their Facebook accounts because of this,” Litan said. “It’s more likely that they will stop using Facebook to use other forms of communication. It’s not an issue of technology solutions not being around: It’s really an issue of the business model.”