Complex Made Simple

Facebook: Up to 600 million users’ passwords were visible to employees

The Facebook drama never ends. Quitting employees, mounting privacy concerns, and now this.

Affected users range between the 200 and 600 million About 20,000 employees had access to the passwords Facebook was aware of this since January

Facebook must be held together by bits of tape, at this point. Earlier this week, we were wondering if Mark Zuckerberg could help his company navigate these dire straits it has found itself in. Amid bailing employees, the Cambridge Analytica scandal, and last year’s hack, it’s a wonder the company’s reputation hasn’t collapsed on itself just yet.

But it can’t get any worse, now, can it?

Oh yes, it can.

ANOTHER user privacy debacle?

Oh, Facebook… why do you keep putting yourself in these situations?

According to a report by IT security blog Krebs on Security, hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012.

Between 200 and 600 million users’ passwords were stored in this way, and supposedly accessible by 20,000 Facebook employees, the site said, citing an anonymous source within Facebook.

Soon after this report came, Facebook responded in a ‘damage control’ blog post: “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way.”

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the blog post continued. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”

So it seems that Facebook had knowledge of this since January, but did not share it with the public until Krebs on Security exposed the issue. It’s not clear if this was intended as a cover-up left to deal with an internal misfire, but it would seem so.

“Despite the recent public struggles Facebook has had with respect to privacy and security, this incident is a little different,” John Shier, senior security advisor at cybersecurity firm Sophos commented on the issue. “Authentication data is something that Facebook treats very seriously and has put in place many mechanisms, both externally and internally, to ensure that user credentials are safeguarded.”

“While the details of the incident are still emerging, this is likely an accidental programming error that led to the logging of plain text credentials,” he continued. “That said, this should never have happened and Facebook needs to ensure that no user credentials or data were compromised as a result of this error. This is also another reminder for people who are still reusing passwords or using weak passwords to change their Facebook password to something strong and unique and to turn on 2-factor authentication.”

So what should you do with your Facebook account? 

Cybersecurity company Sophos wrote to AMEinfo offering advice on what people can do in the current situation. Below is a brief Q & A for users worried about their data, with advice from Paul Ducklin, senior technologist at Sophos.

Should I change my Facebook password?

Sophos: Why not? It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this. But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused. Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.

So our advice is: change your password now.

Should I turn on two-factor authentication?

Sophos: Yes, turn on two-factor authentication (2FA) now. We’ve been urging you to do use two-factor authentication everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.

If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.

Should I close my Facebook account?

Sophos: We can’t answer that for you. Given that the wrongly-stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account. On the other hand, it’s a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step. In short, you have to decide for yourself. (If it helps you decide, we’re not closing our accounts.)