Facebook Failed To Properly Secure Up To 600 Million Users’ Passwords

In his weaker moments, Mark Zuckerberg must worry he’s in his own personal hell, reliving the same crisis over and over in a bad, real-life remake of the movie “Groundhog Day.”

Don’t look now, but Facebook is implicated in yet another large-scale data privacy snafu.

That’s according to an unnamed senior source at the social media platform, who told security researcher Brian Krebs that some internal Facebook applications have been logging and storing users’ passwords in plain text since at least 2012, albeit for seemingly innocent purposes.

So far, Krebs said on his blog Thursday, between 200 million and 600 million Facebook users likely had their account passwords logged in unencrypted text files. The passwords were theoretically searchable by 20,000 Facebook employees, though access logs indicate only about 2,000 did so.

Pedro Canahuati, Facebook’s engineering, security and privacy vice president, confirmed the insecure practice Thursday and pledged to notify all those who were affected.

Canahuati also sought to reassure these affected users by emphasizing that ― so far, at least ― no evidence has surfaced that the passwords were used for anything untoward, or accessed by anyone who shouldn’t have done so. The company said users won’t have change their passwords, though they’re welcome to do so.

“To be clear, these passwords were never visible to anyone outside of Facebook,” he wrote, “and we have found no evidence to date that anyone internally abused or improperly accessed them.”

In addition to the impacted Facebook users, Canahuati said “tens of thousands” of Instagram accounts were exposed.

It’s commonplace for companies to store account information, including passwords, as part of operating a website. But typically those passwords are obscured by “hashing” and “salting” them (more info on that here), so that even if someone accesses the data, the passwords themselves are still hidden.

Facebook typically does this, but in some cases engineers apparently neglected to “hash” and “salt” some of the passwords they were collecting.

Company representatives told Wired the passwords were recorded by a handful of different sources, like crash logs, resulting in fragmented pockets of data instead of one big database.

Source link