Notebookcheck

In plain sight: Hundreds of millions of Facebook user passwords were stored in plain text

Due to a security oversight made by some Facebook employees, certain Facebook apps have been inadvertently logging user passwords as plain text on internal company servers. While still secured against outside intrusion, between 200 and 600 million user passwords were visible and searchable by about 20,000 employees at Facebook.

When you create an online account, your password is usually encrypted to protect it from prying eyes, both inside and outside the organization. Apparently, some Facebook employees missed that pointer; due to employee oversight in the development of some applications used by the social media giant, between 200 and 600 million user passwords were stored as plain text since 2012.

The passwords were stored on internal Facebook servers that, while secured against outside intrusion, were fully searchable by more than 20,000 Facebook employees, according to a Facebook insider familiar with the matter. Speaking to Brian Krebs of KrebsOnSecurity, the source said that some employees built applications that logged user passwords in plain text, void of any encryption. Some of these applications date as far back as 2012.

The insider also said that about 2,000 engineers, developers, and other employees queried these servers and pulled data containing plain text passwords about 9 million times over the past 7 years.

The good news is that the company doesn’t believe anyone was “looking intentionally for passwords,” according to Software Engineer Scott Renfro. That means it’s likely there’s little to no security risk. Still, Facebook is planning on notifying “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” about the issue.

The company became aware of the issue during a code audit in January of this year. Engineers reviewing code noticed that passwords were being stored as plain text, alerting Facebook to the larger problem at hand.

Facebook doesn’t believe that users should change their passwords at this time. Like with any potential security risk, it might be a good idea to update it anyway.

Read all 1 comments / answer
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2019 03 > In plain sight: Hundreds of millions of Facebook user passwords were stored in plain text
Sam Medley, 2019-03-21 (Update: 2019-03-22)
Sam Medley
Sam Medley - Review Editor - @samuel_medley
I've been a "tech-head" my entire life. After graduating college with a degree in Mathematics, I worked in finance and banking a few years before taking a job as a Systems Analyst for my local school district. I started working with Notebookcheck in October of 2016 and have enjoyed writing news articles and notebook reviews. My areas of interest include the business side of technology, retro gaming, Linux, and innovative gadgets. When I'm not hunched over an electronic device or writing code for a new database, I'm either outside with my family, playing a decade-old video game, or sitting behind a drum set.