Report: Facebook Stored Millions of Passwords in Plaintext

Data Breach , File & Data Security , Fraud Management & Cybercrime

Facebook Under Fresh Scrutiny Over How It Stored User Passwords• March 21, 2019    Report: Facebook Stored Millions of Passwords in PlaintextFacebook's response to news reports.

Facebook has corrected an internal security issue that allowed the company to store millions of user passwords in plaintext that were then available to employees through an internal search tool. The move follows a report published Thursday on Krebs on Security.

See Also: Live Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

All told, the social media giant had stored between 200 and 600 million passwords in plaintext, some of which date to 2012. Internally, some 20,000 employees could access the data although the company claims that insiders did not abuse their access, according to Krebs.

In a statement posted Thursday, Pedro Canahuati, vice president of Engineering, Security and Privacy at Facebook, says that the company has stopped the practice of storing passwords in plaintext and that no one from outside the company accessed the data.

However, Krebs reports that over the past several years, about 2,000 Facebook engineers and developers made about 9 million internal queries for data, which used many of these plaintext passwords.

Almost immediately after the Krebs post went public, Facebook issued a statement that the issue was first discovered in January and that the company had corrected it and that no passwords leaked. Despite the reassurances, the company is likely to face additional scrutiny over how it treats user data and privacy.

If we ever get the ground truth on why @facebook was storing passwords in the clear, I'll bet 2:1 odds that they were either being logged as a URL parameter or used to impersonate users to see their user experience first hand. 1/2 https://t.co/z2C4rvqpq5

— Jake Williams (@MalwareJake)

Facebook users are being notified as of Thursday. Asked for comment, a company spokesman referred Information Security Media Group back to the statement posted on its press site.

"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," Canahuati writes. "We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users."

Facebook Lite is a version of the social media platform that is predominantly used by people in regions with lower levels of connectivity.

Facebook had approximately 2.32 billion monthly active users in the last quarter of 2018, according to surveys.

Facebook's Privacy Problems

This latest episode will likely add to the numerous problems that Facebook has encountered when it comes to ensuring user privacy.

Earlier this year, reports surfaced that the U.S. Federal Trade Commission is close to concluding its report about Cambridge Analytica, the now defunct political consulting firm associated with President Donald Trump's 2016 campaign, and how that company accessed data on about 87 million Facebook users without their consent.

The FTC could levy a record-setting fine against the company, according to public reports.

In February, Germany's competition authority cracked down on Facebook's data collection ability, requiring the company to gain a user's permission before it gathers any personal information. Facebook is expected to appeal that decision.

Additionally, Facebook is still investigating a data breach that its engineers first found in September 2018, which affected some 30 million users after attackers found a vulnerability in the site's "View As" feature that exposed security tokens.

Passwords Exposed

Facebook is only the latest example of companies that have exposed user passwords through plaintext.

In May 2018, social media rival Twitter urged its 330 million users around the world to change their passwords after a bug in the hashing process, which is supposed to replace the password with a string of random characters, saved passwords in plaintext to an internal log.

A similar bug in GitHub's system also exposed user passwords in plaintext around the same time as Twitter reported its problem. It's not clear how many user accounts in that case were exposed, but the company did urge anyone who thought their password was exposed to reset it.

In its Thursday statement, Facebook's Canahuati writes that the company uses hashing methods to hide passwords, as well as cryptographic keys to replace passwords with a random series of characters. Facebook also deploys other technology to alert users if someone else attempts to log into their account.