Facebook stored millions of passwords in plain text

Ruben Fields
March 24, 2019

Krebs reports that Facebook has acknowledged the error, but the social media giant insists there is no evidence user details have been accessed - just that they could be.

Credit: ShutterstockAccording to revelations Thursday, Facebook has kept the passwords of 600 million users in plain text.

"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them", said Facebook.

Facebook was relatively quick to react, saying it will notify its users of what happened.

In a public statement, Facebook said that during a routine security review in January, its security team found that some user passwords were stored in a readable format. As they have stored the passwords of hundreds of millions of users in plain text without applying any type of encryption, so your password is accessible. Because there's no sign that the passwords were leaked or mishandled, the company won't require users to change their passwords.

Report: Facebook Stored ‘Hundreds of Millions’ of Passwords in Plain Text

However, referring to a senior Facebook employee familiar with the investigation, KrebsOnSecurity said that around 2,000 Facebook employees have made 9 million internal queries approximately, for data elements containing users' passwords. "With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text", Facebook explained. Though the company is still trying to find for what goal they query had been fired, how many and how long the passwords were exposed; the archives found is pointing towards early 2012.

Passwords are confidential information and keeping them in encrypted form is essential in cybersecurity. Facebook Lite users (the lightweight version for slow-speed, low-spec devices), Facebook users and Instagram users will be notified. If that password is also the same as one used on other sites, it's even more crucial to change the password quickly.

But it added it would enforce a password re-set only if its taskforce looking into the issue uncovered abuse of the login credentials.

This is at odds with what the insiders said, but it's possible Facebook is interpreting "improperly accessing the data" in a different way than the insiders that revealed the information to the press.

Casey holds slender lead at Valspar Championship
Lahiri, who has played the event in the past, said, "It was a decent start on a fair but demanding Copperhead course". Level with the former world number one at 137 were American Scott Stallings (68) and South Korea's Im Sung-jae (67).

Other reports by

Discuss This Article