A report has said that millions of Facebook passwords were internally exposed, and the firm on March 21 said the problem has been fixed.
Researcher Brian Krebs of KrebsonSecurity broke the news about the security failure, saying that 600 million passwords were stored in plain text.
A source at Facebook told him that during an investigation, “between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.”
“Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012,” he wrote, citing the source.
Millions of Facebook passwords exposed internally https://t.co/9waiJIMPHZ
— BBC News Technology (@BBCTech) March 21, 2019
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source told him.
He added: “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
Facebook software engineer Scott Renfro went on record with Krebs, saying that the firm doesn’t have the exact numbers, including the number of employees who could have accessed the passwords.
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro told Krebs. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
Facebook said the issue was discovered in January as part of a routine security review.
Majority of the affected were users of Facebook Lite, a version of the social media app largely used by people in regions with lower connectivity, Reuters reported.
Change your Facebook password now! https://t.co/UN4b4mpY9O
— BrianHonan (@BrianHonan) March 21, 2019
Security firm Sophos said that users should “change [their] Facebook password now.”
“In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as 379f1531753a7c43ab4f4faace212451, anyone looking at the stored data will see the actual password, right there, just like that,” it says. “Plaintext passwords used to be the rule, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years,” the website adds.
Forbes reported that Facebook will be alerting people whose passwords have been stored in plaintext.
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” a Facebook official said.
#Facebook has yet again proved it can not be trusted with our security after admitting to exposing up to 600 million user passwords. Here's what happened and what to do next. #facebookpasswordleak https://t.co/zlvwqYu0UE
— Kate O'Flaherty (@KateOflaherty) March 21, 2019
The outlet also recommended that users should change their password.
Reuters contributed to this report.
The very fabric of America is under attack …
Our freedoms, our republic, and our constitutional rights have become contested terrain. The Epoch Times, a media committed to truthful, responsible journalism, is a rare bastion of hope and stability in these testing times.
While other media may twist the facts to serve political agendas, we deliver stories while upholding our responsibility to society.
We’ve reported truthfully on the current U.S. administration from the start. We reported on the real possibility of a Trump victory in 2016. We’ve led reporting on the Chinese communist threat since 2000; we have been exposing communist thought in our government, schools, universities, popular culture, and media; and we, like no other media, are rigorously investigating and exposing the unscrupulous agents working to subvert our society.
Stand with us in advancing a truly independent and truthful media—the way a free press was intended to be, as a cornerstone of the Republic. Your contribution allows us to continue piercing through the surface narratives of mainstream media, and provide you with a full picture.
Epoch Times editor-in-chief Jasper Fakkert urges you to support our independent media. We are asking you to help us raise $1 million to support our unique and truthful content.
Every contribution counts, big or small. We sincerely thank you for your continued support and encouragement in these critical times. The Epoch Times is published by The Epoch Times Association, Inc., a 501(c)(3) nonprofit.