Facebook Stored User’s Password in Plain Text For Years
According to a report by KrebsOnSecurity, Facebook has stored around 200 – 600 million users’ passwords in a readable format (or plain text) in their internal servers for almost seven years. This has made the passwords searchable to around 20,000 employees.
After exposing this issue online by a security researcher, the company has also admitted the case but somehow denied the risk. Facebook says that they didn’t find any evidence till date that any employee of the company has improperly accessed or misused the plain text user passwords. Read: MySpace Lost 12 Years of User Content in Server Migration The security flaw was initially discovered during a routine check-up early this year. As per a privacy note by Pedro Canahuati, vice president of engineering, “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.”
How Facebook Protect User’s Password?
He also explained how Facebook masks users’ passwords and said, “Our login systems are designed to mask passwords using techniques that make them unreadable.” The company ‘hash’ and ‘salt’ the password with a function called ‘scrypt’ and a cryptographic key. This irreversibly replaces the password with a set of random characters. “These passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” he also added. However, referring to a senior Facebook employee familiar with the investigation, KrebsOnSecurity said that around 2,000 Facebook employees have made 9 million internal queries approximately, for data elements containing users’ passwords. They have also built applications that logged plain text users’ password data. Though the company is still trying to find for what purpose they query had been fired, how many and how long the passwords were exposed; the archives found is pointing towards early 2012. The KrebsOnSecurity also interviewed Facebook software engineer Scott Renfro in which he said, “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data.” However, the company is planning to notify the affected users. The company also reserves right to force a password reset in case they found the signs of abuse. Anyway, this is a serious issue which may have affected a hundred millions of Facebook Lite users, millions of Facebook users and thousands of Instagram users by exposing their password to thousands of Facebook employees. The vice president Canahuati also ensured that there’s nothing important than protecting users’ information to us. If you are concerned about your account security, the company recommends you to change the password or enable a security key or two-factor authentication.