In plain sight: Hundreds of millions of Facebook user passwords were stored in plain text
When you create an online account, your password is usually encrypted to protect it from prying eyes, both inside and outside the organization. Apparently, some Facebook employees missed that pointer; due to employee oversight in the development of some applications used by the social media giant, between 200 and 600 million user passwords were stored as plain text since 2012.
The passwords were stored on internal Facebook servers that, while secured against outside intrusion, were fully searchable by more than 20,000 Facebook employees, according to a Facebook insider familiar with the matter. Speaking to Brian Krebs of KrebsOnSecurity, the source said that some employees built applications that logged user passwords in plain text, void of any encryption. Some of these applications date as far back as 2012.
The insider also said that about 2,000 engineers, developers, and other employees queried these servers and pulled data containing plain text passwords about 9 million times over the past 7 years.
The good news is that the company doesn’t believe anyone was “looking intentionally for passwords,” according to Software Engineer Scott Renfro. That means it’s likely there’s little to no security risk. Still, Facebook is planning on notifying “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” about the issue.
The company became aware of the issue during a code audit in January of this year. Engineers reviewing code noticed that passwords were being stored as plain text, alerting Facebook to the larger problem at hand.
Facebook doesn’t believe that users should change their passwords at this time. Like with any potential security risk, it might be a good idea to update it anyway.