Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Facebook Stored Passwords of Hundreds of Millions Users in Plain Text

Facebook today admitted to have stored the passwords of hundreds of millions of its users in plain text, including the passwords of Facebook Lite, Facebook, and Instagram users. 

Facebook today admitted to have stored the passwords of hundreds of millions of its users in plain text, including the passwords of Facebook Lite, Facebook, and Instagram users. 

The social platform says it discovered the mishap as part of a routine security review in January, but that the passwords were stored in a readable format within its internal data storage systems, and that only its employees had access to the data. 

The issue has been addressed, and all of the affected users will be notified, Facebook announced. 

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company says

The number of impacted users, however, is very large. The social platform estimates that hundreds of millions of people using Facebook Lite, tens of millions of other Facebook users, and tens of thousands of its Instagram users are impacted. 

“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,” the company says. 

According to security blogger Brian Krebs, Facebook is currently investigating a series of incidents regarding employees who “built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.”

Krebs also says that the passwords of between 200 million and 600 million Facebook users may have been stored in plain text, and that over 20,000 Facebook employees may have been able to search those passwords. 

Advertisement. Scroll to continue reading.

Some of the passwords might have been stored in plain text for seven years, Krebs says. 

Facebook, which has been subject to broad criticism last year, after it was revealed that it shared users’ data with other companies without informing the impacted people, says it stores users’ passwords in line with security best practices, masking them so that “no one at the company can see them.”

“With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text,” the company claims. 

A report earlier this month revealed that US prosecutors have launched a criminal investigation into Facebook’s practice of sharing users’ data with other companies. In December last year, the social platform was accused of “cutting special deals with some advertisers to give them more access to data.” 

Last year, the company admitted that the data of up to 87 million people worldwide was harvested by political consulting company Cambridge Analytica via an academic researcher’s personality prediction app. 

Related: Mark Zuckerberg Describes a New Privacy-Centric Facebook

Related: Facebook Says ‘Clear History’ Feature Ready This Year

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.