Facebook Stored Millions of Passwords Without Any Encryption

Posted on March 22, 2019 by Mehedi Hassan in Social with 11 Comments

Facebook is back with another security problem.

This time, it’s your actual passwords. The company reported yesterday that it stored millions of user passwords in plain text, without any hashing/encryption. That meant your passwords were in a readable format, allowing Facebook employees to know your exact password with simple database queries.

Facebook says the passwords were not accessed by anyone from outside the company, and it hasn’t been abused internally, either. That still doesn’t change the fact that user passwords were completely accessible to Facebook employees internally.

Facebook isn’t sharing exactly how many users were impacted, but security research site KerbsOnSecurity reports that around 200-600 million users were impacted. It seems like the issue originated from Facebook’s Lite apps, a version of the company’s app that uses fewer resources. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity,” the company said in a blog post.

Facebook insists the passwords weren’t exposed externally, and it “didn’t find any evidence of abuse” to date. So your account may have not been compromised, but the company will still notify affected users, suggesting them to change their passwords for safe measures.

Either way, with Facebook already going through so much privacy and security controversies, this just makes things worse. It’s almost like there’s a new Facebook security related problem every other week, and with the company shifting its focus to protect user data, this is not a good start.

Tagged with ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (11)

11 responses to “Facebook Stored Millions of Passwords Without Any Encryption”

  1. Avatar

    wright_is

    Mehedi, that should be Krebs, not Kerbs. ;-)

    This is a definite GDPR violation, which needs to be reported within 72 hours of discovery... Given that it was discovered in January and they are only confirming it now that Krebs has blown the story, it could be very expensive if any EU users were caught up in the log files.

  2. Avatar

    locust infested orchard inc

    Article quote by Mehedi Hassan, "...but security research site KerbsOnSecurity reports that around 200-600 million users were impacted..."


    "KerbsOnSecurity" ? What Facebook did was exactly that, they put several 'CurbsOnSecurity'‡, hence zero security exists with users' data on Fakebook. Not surprising in the least.


    BTW the invaluable security news site you referred to is managed by Brian Krebs, not "Kerbs".


    ‡ Curb = restraint, restriction; not the edge of a raised sidewalk (US)

  3. Avatar

    waethorn

    I'm glad I never created an account the TheFaceBag.

  4. Avatar

    VMax

    This article needs to make clear that the passwords weren't intentionally stored in unencrypted form in a user database or anything like that - they were inadvertently caught in application logs.

  5. Avatar

    mattbg

    "Around 200-600 million users". That's quite a broad estimate for something that has already happened :)

  6. Avatar

    hoomgar

    "It’s almost like there’s a new Facebook security related problem every other week, and with the company shifting its focus to protect user data, this is not a good start."


    It's not necessarily a bad thing in that the whole reason all of this is coming up is because they are actually/finally looking at it all. Most of the stuff reported most likely was like that for years or even from the start. 

Leave a Reply