Hundreds of millions of Facebook user passwords have been stored in plain text for years, the social media giant acknowledged on Thursday.
KrebsOnSecurity, which first reported the news, said that specifically between 200 and 600 million passwords were stored in plain text as early as 2012, and were searchable by thousands of Facebook employees. Plain text means that the stored passwords are unencrypted, meaning they can be easily accessed and read by people who had access to Facebook’s internal data storage systems.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” said Pedro Canahuati, vice president of engineering, security and privacy at Facebook in a Thursday post. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
Facebook said it will notify hundreds of millions of Facebook Lite users (Facebook Lite is a version of Facebook predominantly used by people in regions with limited connectivity), as well as tens of millions of other Facebook users, and tens of thousands of Instagram users.
Canahuati said that the passwords were never visible to anyone outside of Facebook and that Facebook has found no evidence to date that anyone internally abused or improperly accessed them.
Despite that, Krebs reported that 2,000 engineers or developers made around nine million internal queries for data elements containing plain text user passwords.
“No matter how large is a company, how many CISOs it has, there is always this temptation among developers to make their life easier by simplifying basic security rules,” Bob Diachenko, cyber threat intelligence director at Security Discovery consultancy, told Threatpost. “It is only a question of time when improperly stored passwords or data become visible to the public internet and search engines index them. It can be anything – firewall down, electricity outage, software update – and a perimeter which you considered as internal goes public.”
Security researcher Troy Hunt told Threatpost that the Facebook faux pas seems similar to a Twitter glitch had last year, where they inadvertently logged passwords in the clear. Twitter said that the glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling to change their passwords.
“It’s certainly undesirable, but without evidence of the captured passwords being exposed the risk is pretty minimal,” he told Threatpost. “This feels like a disclosure out of an abundance of caution rather than a disclosure due to a serious risk. For consumers, using Facebook’s 2-step verification process goes a long way to mitigating this risk.”
The exposure of account passwords is not only a threat to the information stored in those accounts, but any private information stored in a Facebook-enabled application, Greg Pollock, vice president of product at BreachSight, told Threatpost.
“Password reuse attacks are also a consideration in any incident like this, anyone who uses their Facebook password for other systems should change it there as well,” he said. “Through our research we’ve often found that massive collections of log files are frequently exposed via public Elasticsearch instances. Logs need to be considered as carefully as the database itself.”
Canahuati also stressed that Facebook has been looking at the ways it stores certain other categories of information, such as access tokens, and has “fixed problems as we’ve discovered them.”
Between the Cambridge Analytica incident that occurred about a year ago, to several other Facebook security problems over the past year (such as sketchy data sharing partnerships and other privacy violations), Facebook continues to be criticized for data privacy issues.
Threatpost will update this story as more information becomes available.