Facebook Stored Hundreds of Millions Passwords in Plain Text, Thousands of Employees Had Access

by

Facebook today announced that during a routine security review it discovered "some user passwords" were stored in a readable format within its internal data storage systems, accessible by employees.

As it turns out, "some user passwords" actually means hundreds of millions of passwords. A Facebook insider told KrebsOnSecurity that between 200 and 600 million Facebook users may have had their account passwords stored in plain text in a database accessible to 20,000 Facebook employees. Some Instagram passwords were also included, and Facebook claims many of the passwords came from Facebook Lite users.

facebooksecurity
Facebook says that there's no "evidence to date" that anyone within Facebook abused or improperly accessed the passwords, but KrebsOnSecurity's source says 2,000 engineers or developers made around nine million internal queries for data elements that contained plain text user passwords.

Facebook employees reportedly built applications that logged unencrypted password data, which is how the passwords were exposed. Facebook hasn't determined exactly how many passwords were stored in plain text, nor how long they were visible.

Facebook plans to notify users whose passwords were improperly stored, and the company says that it has been looking at the ways certain categories of information, such as access tokens, are stored, and correcting problems as they're found.

"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook," reads Facebook's blog post.

Facebook and Instagram users who are concerned about their account security should change their passwords, using unique passwords that are different from passwords used on other sites. Facebook also recommends users enable two-factor authentication.

Tag: Facebook

Top Rated Comments

dannyyankou Avatar
dannyyankou
37 months ago
Delete Facebook and delete your accounts
Score: 104 Votes (Like | Disagree)
wesleypitts Avatar
wesleypitts
37 months ago
How is this company not being criminally prosecuted?
Score: 84 Votes (Like | Disagree)
JimmyBanks6 Avatar
JimmyBanks6
37 months ago
While many are saying "is anyone surprised" I actually am at this.

This is one of the largest corporations in the world, whose sole business is its internet applications, and they ignored one of the most basic security expectations of hashing a password?

That is absolutely surprising and shameful and there is no excuse from them that is acceptable.
Score: 47 Votes (Like | Disagree)
AngerDanger Avatar
AngerDanger
37 months ago
Consider my mind blown.

Score: 35 Votes (Like | Disagree)
1050792 Avatar
1050792
37 months ago
I'm shocked at Facebook's lack of security!
Said nobody.
Score: 34 Votes (Like | Disagree)
johnalan Avatar
johnalan
37 months ago
Disgusting.


Use privacy enhancing tech or pay the price, in future privacy will be currency.

* GPG
* Veracrypt
* Monero
* VPN
* DuckDuckGo
* Pi.hole
Score: 31 Votes (Like | Disagree)
Read All Comments

Popular Stories

iPhone 14 Mock pill and hole thumb

ProMotion Now Expected to Remain Exclusive to iPhone 14 Pro Models, Not Expand to Entire Lineup

Sunday January 16, 2022 8:56 am PST by
Continuing the tradition set with the iPhone 13 Pro, only the highest-end iPhone 14 models will feature Apple's ProMotion display technology, according to a respected display analyst. Ross Young, who on multiple occasions has detailed accurate information about Apple's future products, said in a tweet that ProMotion will not be expanded to the entire iPhone 14 lineup and will remain...
Read Full Article91 comments
safari icon blue banner

Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

Sunday January 16, 2022 3:37 pm PST by
A bug in WebKit's implementation of a JavaScript API called IndexedDB can reveal your recent browsing history and even your identity, according to a blog post shared on Friday by browser fingerprinting service FingerprintJS. In a nutshell, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user's browsing session....
Read Full Article236 comments
ipad air 4 video

New iPad Air Rumored to Launch This Spring With A15 Chip, 5G, Center Stage Camera, and More

Saturday January 15, 2022 8:05 pm PST by
Apple is planning to release a fifth-generation iPad Air with similar features as the sixth-generation iPad mini, including an A15 Bionic chip, 12-megapixel Ultra Wide front camera with Center Stage support, 5G for cellular models, and Quad-LED True Tone flash, according to Japanese blog Mac Otakara. Citing reliables sources in China, the report claims that the new iPad Air could be...
Read Full Article161 comments
Unlikely Products 2022 Feature

Six Rumored Apple Products You're Unlikely to See This Year

Saturday January 15, 2022 2:06 pm PST by
Much has been said about what consumers could see from Apple in 2022, but the company is also working on a handful of rumored products that aren't expected to be unveiled for at least another 12 months, and in some cases a lot longer. Of course, that's assuming they get released at all. Apple works on many potential products some of which ultimately never see the light of day. With that in...
Read Full Article67 comments
AirPods Pro Gen 3 Mock Feature Red

AirPods Pro 2 Could Start a New Accessory Ecosystem

Friday January 14, 2022 2:34 am PST by
Apple's second-generation AirPods Pro could arrive alongside a new series of accessories, recent leaked images suggest. Alleged leaked photos of the next-generation AirPods Pro obtained by MacRumors showed a charging case with a metal loop on the side for attaching a strap. Apple has not used this design for any of its other AirPod models and it is unclear why it would be added in this...
Read Full Article
netflix2

Netflix Again Raises Prices for All Plans, 4K Streaming Now $20 Per Month

Friday January 14, 2022 12:46 pm PST by
Netflix today updated the prices for its streaming plans, and all of its offerings are now more expensive. The Basic plan is now priced at $9.99 per month, the Standard plan is priced at $15.49 per month, and the Premium plan is priced at $19.99 per month. The Basic plan is $1 more expensive, up from $8.99 per month. This plan allows users to watch on just one screen at a time, and it limits ...
Read Full Article433 comments
tesla carplay solution

Developer Showcases Apple CarPlay Workaround for Teslas

Monday January 17, 2022 7:24 am PST by
A Tesla Model 3 owner has resorted to a workaround to implement Apple CarPlay in his vehicle, amid no sign of official support from Tesla (via Tesla North). Apple CarPlay and Apple Music support are among the most-requested Tesla features, but with no indication that Tesla is willing to implement Apple CarPlay in its vehicles, Polish developer Michał Gapiński took matters into his own...
Read Full Article233 comments
top stories 20220115

Top Stories: iPhone 14 Pro Rumors, iCloud Private Relay Controversy, iOS 15.2.1 Released, and More

Saturday January 15, 2022 6:00 am PST by
Hole-punch? Pill? Hole-punch and pill? Rumors about what the front camera system on the iPhone 14 Pro will look like are evolving rapidly, and it now appears we might be getting a novel but potentially controversial design later this year. Other major stories this week included some confusion and controversy about iCloud Private Relay being disabled for some T-Mobile customers, increasing...
Read Full Article10 comments