Adding on to the list of goof-ups by Facebook, a new report has surfaced which states that hundreds of millions of users’ passwords were stored in plain text for years. What’s even worse is that Facebook employees had unfettered access to this data.
This security blunder dates back to 2012 and after cybersecurity journalist Brian Krebs published a report on Thursday, Facebook rushed to publish a blog post claiming that the flaw was discovered in January.
But it sparks a question on why Facebook chose to sit on this news for three months and felt it was necessary to inform users only after the report surfaced.
Facebook says that “some user passwords were being stored in a readable format within [our] internal data storage systems.”
According to Brian Krebs’ sources, which includes a Facebook insider, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.”
The social media giant claims it has “found no evidence anyone internally abused or improperly accessed” the password data, but believing this statement requires you to trust Facebook — and the trust factor for the company is running quite low.
Meanwhile, Facebook says it will notify “hundreds of millions” of affected users of Facebook Lite (a lightweight app for areas with slower internet speeds).
According to the company, another “tens of millions” of regular Facebook users, and “tens of thousands” of Instagram users will also be asked to change passwords as their accounts were affected.
However, the KrebsOnSecurity report suggests that the total number of affected accounts lie between 200 and 600 million.
For now, Facebook has fixed this issue and masked all the passwords, but as a precaution, the company says users can take these measures to secure their account:
- Change Facebook and Instagram password from settings
- Avoid reusing same passwords on different platforms
- Use of strong and complex passwords
- Enabling two-factor authentication