Facebook Stored Millions of Passwords Without Any Encryption

Facebook is back with another security problem.

This time, it’s your actual passwords. The company reported yesterday that it stored millions of user passwords in plain text, without any hashing/encryption. That meant your passwords were in a readable format, allowing Facebook employees to know your exact password with simple database queries.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Facebook says the passwords were not accessed by anyone from outside the company, and it hasn’t been abused internally, either. That still doesn’t change the fact that user passwords were completely accessible to Facebook employees internally.

Facebook isn’t sharing exactly how many users were impacted, but security research site KerbsOnSecurity reports that around 200-600 million users were impacted. It seems like the issue originated from Facebook’s Lite apps, a version of the company’s app that uses fewer resources. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity,” the company said in a blog post.

Facebook insists the passwords weren’t exposed externally, and it “didn’t find any evidence of abuse” to date. So your account may have not been compromised, but the company will still notify affected users, suggesting them to change their passwords for safe measures.

Either way, with Facebook already going through so much privacy and security controversies, this just makes things worse. It’s almost like there’s a new Facebook security related problem every other week, and with the company shifting its focus to protect user data, this is not a good start.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 11 comments

  • wright_is

    Premium Member
    22 March, 2019 - 6:13 am

    <p>Mehedi, that should be Krebs, not Kerbs. ;-)</p><p>This is a definite GDPR violation, which needs to be reported within 72 hours of discovery… Given that it was discovered in January and they are only confirming it now that Krebs has blown the story, it could be very expensive if any EU users were caught up in the log files.</p>

    • christian.hvid

      22 March, 2019 - 8:45 am

      <blockquote><em><a href="#414636">In reply to wright_is:</a></em></blockquote><p>Agreed, that would seem to be a second-tier violation, carrying a fine of up to 2% of the global turnover, or just over a billion dollars in Facebook's case.</p>

  • locust infested orchard inc

    22 March, 2019 - 9:12 am

    <blockquote><a href="https://www.thurrott.com/xbox/203505/microsoft-shares-a-few-more-details-about-xcloud-at-gdc#414602&quot; target="_blank"><em>Article quote by Mehedi Hassan, "…but security research site KerbsOnSecurity reports that around 200-600 million users were impacted…"</em></a></blockquote><p><br></p><p>"KerbsOnSecurity" ? What Facebook did was exactly that, they put several 'CurbsOnSecurity'‡, hence zero security exists with users' data on Fakebook. Not surprising in the least.</p><p><br></p><p>BTW the invaluable security news site you referred to is managed by Brian Krebs, not "Kerbs".</p><p><br></p><p>‡ Curb = restraint, restriction; not the <span style="color: rgb(60, 64, 67);">edge of a raised sidewalk&nbsp;(US)</span></p>

    • mpowell

      Premium Member
      22 March, 2019 - 3:30 pm

      <blockquote><em><a href="#414693">In reply to locust infested orchard inc:</a></em></blockquote><p>Or, to put it another way:</p><p class="ql-indent-1"><em>You have a typo, it's actually "krebsonsecurity" not "kerbsonsecurity"</em></p>

  • waethorn

    22 March, 2019 - 9:34 am

    <p>I'm glad I never created an account the TheFaceBag.</p>

  • VMax

    Premium Member
    22 March, 2019 - 10:16 am

    <p>This article needs to make clear that the passwords weren't intentionally stored in unencrypted form in a user database or anything like that – they were inadvertently caught in application logs.</p>

    • christian.hvid

      22 March, 2019 - 10:49 am

      <blockquote><em><a href="#414712">In reply to VMax:</a></em></blockquote><p>Thanks, that clears things up considerably. I deleted my comments since they make no sense in light of this information. I still feel good about not using Facebook though. :)</p>

  • mattbg

    Premium Member
    22 March, 2019 - 12:05 pm

    <p>"Around 200-600 million users". That's quite a broad estimate for something that has already happened :)</p>

  • hoomgar

    25 March, 2019 - 8:40 am

    <p>"It’s almost like there’s a new Facebook security related problem every other week, and with the <u>company shifting its focus</u> to protect user data, this is not a good start."</p><p><br></p><p>It's not necessarily a bad thing in that the whole reason all of this is coming up is because they are actually/finally looking at it all.&nbsp;Most of the stuff reported most likely was like that for years or even from the start.&nbsp;</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC