Some 2000 Facebook staff had access to millions of Facebook users’ passwords… stored in plaintext

Some 2000 Facebook engineers had access to millions of Facebook users' passwords... stored in plaintext

You know as well as me that you probably shouldn’t have a Facebook account.

Chances are that you don’t really like Facebook all that much, and have wanted to leave – but you can’t quite kick the habit because you worry that you might miss things that your friends and family (similarly manacled to the social network) might post on their timeline.

It’s understandable that you should feel like that after years of privacy scandals and security issues.

You may think that nothing would shock you anymore when it comes to Facebook – but how about this?

Investigative journalist Brian Krebs has today published a jaw-dropping story which highlights Facebook’s lax attitude to user security and privacy.

You can read the full story for yourself, but here are the highlights:

  • Stretching back as far as 2012, Facebook has been storing the passwords of hundreds of millions of users unencrypted, in plaintext.
  • The hundreds of millions of Facebook passwords were searchable by thousands of Facebook employees.
  • According to Krebs’s source, access logs have revealed that some 2,000 engineers and developers made around nine million searches for data that contained plaintext user passwords.

Facebook hasn’t directly contacted any users yet about this potential security breach. The presumption is that Facebook was hoping to reduce the numbers (which are rather shocking) as much as possible before going public. Now Brian Krebs has blown the whistle, Facebook has had to issue a statement of course:

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.

(Facebook Lite is an Android app that is designed for users with slow data connections and low-spec phones.)

The silver lining on the cloud is that Facebook hasn’t seen any evidence that any employees have abused access to the password data – but frankly, how would they know for sure?

And furthermore, that’s not really the point.

Why was Facebook storing these passwords in plaintext? Why did so many employees have access to the data? If it found out about this problem in January is there any reason why it took until the end of March, and an article by a cybersecurity journalist, for them to come clean?

So, what should you do about this?

Well, you should ensure that the password you were using for Facebook isn’t being reused anywhere else on the internet.

Furthermore, if you’re going to keep your Facebook account, you should enable two-factor authentication (although make sure you do that with an authentication app, because if you tell Facebook your real mobile phone number for security they have no qualms about using it for their own benefit or their advertisers)

But really, the best advice I can give you is to quit Facebook. You’re in an abusive relationship. They keep letting you down, and you’re not learning the lesson. Be sensible, walk away. And tell your friends and loved ones to do the same.

We made a “Smashing Security” podcast all about how to quit Facebook. Give it a listen, and maybe try quitting Facebook for yourself. It’s quite liberating.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.