When it comes to Facebook secutity , it seems there is one potentially damaging lapse after another.
The latest was uncovered by the Krebs On Facebook secutity news site, flagging hundreds of millions of Facebook users who had their account passwords stored in plain text that could be searched by more than 20,000 c– in some cases dating to 2012.
The author of the report, Brian Krebs, says Facebook told him that none of the employees, to the company’s knowledge, abused the data.
Facebook later admitted as much publicly, in a newsroom blog posted by vice president of engineering for security and privacy Pedro Canahuati.
“We have fixed these issues, and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” he wrote. The issue first came to light in January.
“To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati continued. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
(Facebook describes Facebook Lite as version of Facebook predominantly used by people in regions with lower connectivity.)
Citing an unnamed senior Facebook employee as the source, Krebs says the social network is probing the causes of a series of security failures in which employees built applications that logged the unencrypted password data, which apparently numbers between 200 million and 600 million.
Facebook has been a magnet for disturbing news the past couple of years, leaving some people to break up with the service for good and placing CEO Mark Zuckerberg on the hot seat.
Last week, The New York Times reported Facebook’s data practices were under criminal investigation. And Facebook has been riddled by scandals ranging from Cambridge Analytica and fake news to the court documents that revealed youngsters and their parents were duped into spending money on online games earlier this decade.
Krebs told USA TODAY that “Facebook’s motto has long been ‘move fast, break things,’ and this situation seems to be one unfortunate manifestation of that mantra. It’s easy to see how a Facebook engineer or developer might enable password logging for a short period of time – to troubleshoot a specific problem, for example. But it’s also easy for that developer to forget to undo that logging.”
Were consumers harmed here? “The more people at Facebook who have access to this data, the greater the likelihood that someone will abuse that access,” Krebs says. “When you start getting into the realm of tens of thousands of employees with that opportunity over as much as seven years, the chances for harm or abuse would seem to go up considerably.”
Engin Kirda, co-founder and chief architect at the Lastline network security firm, has a similar take: “This is not only a bad situation, but it is actually terrible. It is a major relapse of operational security practices.”
“Storing passwords in clear text is a terrible idea because it would allow employees and potential attackers who steal this data to easily use these passwords and potentially log on to other, non-Facebook-related services as well because users often reuse passwords,” Kirda added. “If this data leaks out, or a Facebook employee who has access to this data ends up becoming malicious, having this data lying around might lead to other, easy account compromises that are not directly hosted on Facebook.”
While Facebook claims none of the passwords were exposed externally, it points users to settings where you can change your passwords on Facebook and Instagram.
It also recommends such common sense security practices as choosing strong complex passwords that you don’t repeat elsewhere, and enabling additional protections like two-factor authentication.