This article was published on March 22, 2019

Facebook’s reportedly been storing millions of user passwords in plain text since 2012


Facebook’s reportedly been storing millions of user passwords in plain text since 2012 Image by: Icons8

Last night, Facebook revealed that it found a flaw in January in its systems that stored user passwords in plain text, which meant that anyone who had access to them could read those passwords without having to decrypt them. The vulnerability impacts “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”

What’s more shocking is that, according to cybersecurity journalist Brian Krebs, in some instances, the company has been storing these passwords without securing them since 2012.

The report also noted that because of the flaw, nearly 20,000 Facebook employees had access to the plaintext passwords of between 200 million and 600 million users, in a searchable form. However, Krebs explained that only 2,000 developers ran queries that rifled through these passwords:

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

Scott Renfro, a software engineer at Facebook, told KrebsOnSecurity that the company has found no abuse of the flaw, and while it’s notified the users, it won’t force them to reset their passwords:

We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data, In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.

While the social network is internally investigating the issue, it’s baffling that it’s not forcing users to change the passwords to prevent any future abuse. You should definitely change your password if Facebook’s notified you – and enable two-factor authentication while you’re at it (here’s how).

Just a few weeks ago, Mark Zuckerberg wrote a massive post on how Facebook wants to become a privacy-focused company. This certainly doesn’t inspire confidence in the new direction.

TNW Conference 2019 is coming! Check out our glorious new location, an inspiring line-up of speakers and activities, and how to be a part of this annual tech bonanza by clicking here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with