Facebook Stored Up to 600M User Passwords in Plain Text

Ruben Fields
March 21, 2019

Facebook stored "hundreds of millions" of account passwords without encryption and viewable as plain text to tens of thousands of company employees, the social media giant confirmed Thursday. But a security review in January, detailed in a blog post Thursday, found they were actually stored in a readable format, a problem Facebook said it has since fixed.

But the incident reveals a huge oversight for the company amid a slew of bruises and stumbles in the last couple of years.

A written statement from Facebook sent to Krebs states that notifications will be sent to, "hundreds of millions of Facebook light users, tens of millions of other Facebook users, and tens of thousands of Instagram users".

The information commissioner's office warns companies: "Do not store passwords in plaintext - make sure you use a suitable hashing algorithm, or another mechanism that offers an equivalent level of protection against an attacker deriving the original password". The precise number of affected users hasn't been determined, but this is estimated to affect between 200 and 600 million accounts going back to at least 2012, according to the company's archives.

The internal investigation was first reported by Krebs on Security.

US Military Lists Possible Cuts to Fund Border Wall
Democratic Speaker of the House of Representatives Nancy Pelosi said her chamber would vote on March 26 to override the veto. The document listed hundreds of projects envisioned around the USA and the world that are worth around $12.9 billion US.

Since the revelation that a British political consulting firm tapped by the Trump administration in the run-up to the 2016 election had access to the personal information for as many as 87 million Facebook users, the company has been trying to manage a deluge of negative headlines surrounding its data collection practices.

"We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way".

"In security terms, we "hash" and "salt" the passwords, including using a function called "scrypt" as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters", it said. Before that happens, Facebook has been looking to see which, if any of the passwords have, "signs of abuse" because it's only those users that will need to be told to change their password. More than 20,000 employees were able to search the data, the employee said - Facebook employed 35,587 people as of the end of 2018.

When reached for comment, Facebook spokesperson referred to the blog post.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER