Facebook reveals employees had access to millions of user passwords
Despite all the promises of privacy, Facebook is falling apart piece by piece. The social network has suffered from bugs/breaches, compromising information of millions of users, even interfering with the elections. Now, in another shocking case, a news outlet has revealed that the company had kept passwords of hundreds of millions of users in an unencrypted format for years. Here are the details.
Hundreds of millions of passwords in plain text
In a recent report, Kerbs On Security cited a senior-level Facebook employee to confirm that the social network kept millions of user passwords in a readable text format. Normally, passwords are hashed with a cryptographic key to prevent them from being accessed or read. But, in this case, a string of security errors associated with Facebook's products led to the passwords being logged internally.
Up to 600 million Facebook customers could be affected
Following the shocking revelation, Facebook issued a statement confirming the issue. The company didn't give exact numbers but said "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users" may have had their passwords exposed. Meanwhile, the source speaking to Kerbs said between 200 million and 600 million people may have been affected.
Question of internal abuse
Facebook discovered the unencrypted password log as part of a routine security review in January. Then, it patched the issues and started an investigation to understand the true scale of the exposure. In its statement, the company claimed the passwords were not exposed to anyone outside of Facebook and there's no evidence that anyone on the inside had abused the access given inadvertently.
Still, this is a major problem
Even if readable passwords were stored on Facebook's internal servers, this is still a pretty big concern. The company has more than 20,000 employees and access logs suggest that at least 2,000 of them (mostly engineers or developers) searched through the files containing passwords dating back to 2012. These people made approximately 9 million queries, although their exact reason remains unclear.
Statement from Facebook's software engineer
"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data," Facebook engineer Scott Renfro said, claiming that the passwords were unencrypted but there's no actual risk from it.
