Facebook Passwords Stored In Plain Text Exposed To Employees

Once again, a Facebook blunder has surfaced online. This time, the disclosure comes from Facebook itself! As revealed, Facebook inadvertently stored users’ passwords in plain text. Consequently, their internal employees could view and access those Facebook passwords.

Facebook Passwords Exposed Internally

Facebook has recently disclosed a blunder at their end that compromised users’ privacy. As disclosed, an error made users’ Facebook passwords visible to the internal staff of the tech giant. The incident happened as the internal data storage system began saving passwords in plain text instead of hashed forms.

As stated in a post by Facebook’s VP Engineering, Security and Privacy, Pedro Canahuati, the officials noticed the matter in January during a routine security review.

“…we found that some user passwords were being stored in a readable format within our internal data storage systems.”

The issue caught their attention since it didn’t reflect Facebook’s policy and best practice of masking passwords. Regarding their usual protocol of saving this information, he explained,

“Facebook masks people’s passwords when they create an account so that no one at the company can see them. In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters.”

This helps them verify user login attempts without the need to save actual passwords in plain text.

With regards to the number of users affected by this incident, Canahuati didn’t specify a number. However, what he stated in his post looks scary,

“We estimate… hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”

Facebook’s Tips To Secure Account

The Facebook official confirmed that they have rectified the issue. Moreover, he also mentions about alerting users affected in this case.

“We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”

Besides, he confirmed no exposure of data to anyone outside Facebook and no abuse of passwords by the internal staff. Yet, he still shared some tips for the users to secure their accounts. Precisely, he advises the users to reset passwords of Facebook and Instagram accounts, and set strong passwords, preferably with a password manager. He also recommends using the security key for ensuring secure logins.

This isn’t the first time Facebook has made a mistake. Perhaps, as compared to the previous blunders, this one seems less devastating as the data exposure remained confined to the internal employees. In June 2018, Facebook made two such blunders that had affected the privacy of millions of users. In one instance, Facebook inadvertently made 14 million private photos visible to the public. Whereas, in another one, they mistakenly leaked app analytics report having sensitive information to app testers outside Facebook.

Update: We have been notified by members of the LHN Team that they have been taken through password resets by Facebook over the past few days without explanation; coincidence or could this be Facebook attempting the rectify the issue? Have you been asked to change your password recently? Let us know your thoughts in the comments section.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients