Facebook stored hundred of millions of users’ passwords in plain text for years, it has been revealed. They could be searched by thousands of employees.
Plain Text Passwords Stored From 2012
The issue arose during a security review at the company. KrebsOnSecurity reported Thursday:
Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
A source at the social media giant disclosed that the investigation had so far found between 200 million and 600 million users’ passwords had been stored as text. The data went as far back as 2012 and was searchable by over 20,000 Facebook employees. Indeed, around 2,000 engineers and developers made in the region of 9 million inquiries for records that included passwords stored as plain text.
A Facebook software engineer did say that the company had not seen evidence of engineers deliberately looking for passwords. Furthermore, he said the company had not “found any signs of misuse of data.”
The Response
In a statement, Facebook acknowledged it “found that some user passwords were being stored in a readable format within our internal data storage system.” It said the discovery happened during a routine security review held in January 2019. However, the company insisted “these passwords were never visible to anyone outside of Facebook.”
It added that it had “found no evidence to date that anyone internally abused or improperly accessed them.” The company had earlier said that “hundreds of millions of Facebook Light users, tens of millions of other Facebook users, and tens of thousands of Instagram users” would be notified.
They have security reviews! routinely!