Facebook Stored Hundreds of Millions Passwords in Plain Text, Thousands of Employees Had Access

Facebook today announced that during a routine security review it discovered "some user passwords" were stored in a readable format within its internal data storage systems, accessible by employees.

As it turns out, "some user passwords" actually means hundreds of millions of passwords. A Facebook insider told KrebsOnSecurity that between 200 and 600 million Facebook users may have had their account passwords stored in plain text in a database accessible to 20,000 Facebook employees. Some Instagram passwords were also included, and Facebook claims many of the passwords came from Facebook Lite users.


Facebook says that there's no "evidence to date" that anyone within Facebook abused or improperly accessed the passwords, but KrebsOnSecurity's source says 2,000 engineers or developers made around nine million internal queries for data elements that contained plain text user passwords.

Facebook employees reportedly built applications that logged unencrypted password data, which is how the passwords were exposed. Facebook hasn't determined exactly how many passwords were stored in plain text, nor how long they were visible.

Facebook plans to notify users whose passwords were improperly stored, and the company says that it has been looking at the ways certain categories of information, such as access tokens, are stored, and correcting problems as they're found.

"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook," reads Facebook's blog post.

Facebook and Instagram users who are concerned about their account security should change their passwords, using unique passwords that are different from passwords used on other sites. Facebook also recommends users enable two-factor authentication.

Top Rated Comments

(View all)
Avatar
21 months ago
Delete Facebook and delete your accounts
Score: 104 Votes (Like | Disagree)
Avatar
21 months ago
How is this company not being criminally prosecuted?
Score: 84 Votes (Like | Disagree)
Avatar
21 months ago
While many are saying "is anyone surprised" I actually am at this.

This is one of the largest corporations in the world, whose sole business is its internet applications, and they ignored one of the most basic security expectations of hashing a password?

That is absolutely surprising and shameful and there is no excuse from them that is acceptable.
Score: 47 Votes (Like | Disagree)
Avatar
21 months ago
Consider my mind blown.

Score: 35 Votes (Like | Disagree)
Avatar
21 months ago
I'm shocked at Facebook's lack of security!
Said nobody.
Score: 34 Votes (Like | Disagree)
Avatar
21 months ago
Disgusting.


Use privacy enhancing tech or pay the price, in future privacy will be currency.

* GPG
* Veracrypt
* Monero
* VPN
* DuckDuckGo
* Pi.hole
Score: 31 Votes (Like | Disagree)

Top Stories

iPhone 12 Pro in Graphite and iPhone 12 in Blue Shown Off in Unboxing Videos

Monday October 19, 2020 8:20 am PDT by
While the iPhone 12 Pro does not launch until Friday, we now have an early unboxing video of the device courtesy of Twitter account DuanRui, providing a closer look at the shiny new flat-edge design and sleek Graphite color option. Ben Geskin re-uploaded the unboxing video to YouTube, which we've embedded below: Geskin has also uploaded an unboxing video of the iPhone 12 in Blue: ...

Kuo: iPhone 12 Pro Demand Higher Than Expected

Sunday October 18, 2020 10:39 pm PDT by
TF International Securities analyst Ming-Chi Kuo released a research note this morning detailing what he's seen with the volume of iPhone 12 and iPhone 12 Pro pre-orders in the first weekend of sales. Kuo had previously indicated that Apple's estimated shipment allocations for the new iPhone models placed the iPhone 12 at the top with 40-45% of inventory allocation (up from 15-20%). However, ...

Apple's New MagSafe Charger and Cases Begin Arriving to Customers

Saturday October 17, 2020 10:10 am PDT by
Apple's new MagSafe charger and cases have begun arriving to some customers earlier than expected, and images of the accessories have started to surface on Twitter. The photos provide a first look at the products in real-world use. As of writing, some MagSafe cases are also available for pickup at select Apple Stores in countries like the United States, Canada, and Germany. Filip...

HomePod Mini Cable is Non-Detachable, Ends With USB-C Connector for Use With Included 20W Power Adapter

Friday October 16, 2020 12:45 pm PDT by
While not detailed in the tech specs, MacRumors can confirm that Apple's new HomePod mini features a non-detachable power cable that ends with a USB-C connector for use with the 20W power adapter included in the box. With the switch to USB-C, the HomePod mini could potentially be powered by a wider range of devices and peripherals, ranging from MacBooks to USB-C battery packs with enough...

Samsung Mocks Apple for Ditching Power Adapters With iPhone 12 Lineup

Thursday October 15, 2020 11:51 am PDT by
Samsung on its social channels is mocking Apple for removing the power adapter from the iPhone 12 lineup and other iPhone models, pointing out the fact that the Samsung Galaxy smartphones continue to ship with a power adapter. "Included with your Galaxy," reads a Samsung Facebook post that features a picture of a power adapter. Apple notably is no longer providing power adapters or...

New Google App Feature Lets You Hum a Song to Search for It

Saturday October 17, 2020 4:05 am PDT by
Google has added a new feature to its Search app that allows you to hum a song that's stuck in your head, and then use the company's machine learning algorithm to try and identify it. In the Google app or using the Google Search widget, tap the mic icon and say "what's this song?" or click the "Search a song" button. Then start humming the tune for 10-15 seconds. When you're done, the...

Brazilian Certifications Suggest iPhone 12 Mini Features 2,227mAh Battery and iPhone 12 Has 2,815mAh Battery

Friday October 16, 2020 1:08 pm PDT by
Apple's iPhone mini has the shortest battery life out of all the iPhones in the iPhone 12 lineup due to its small size, but Apple has not provided public information about the battery's capacity. A regulatory filing from Brazil, however, suggests the iPhone 12 mini has a battery capacity of 2,227mAh. The same regulatory information says the iPhone 12 features a 2,815mAh battery, which is...

iPhone 12 Pro Pre-Orders Already Selling Out With Delivery Times Pushing Into November

Friday October 16, 2020 6:35 am PDT by
Apple today opened pre-orders for the 6.1-inch models of the iPhone 12 and iPhone 12 Pro through its website and the Apple Store app, and estimated delivery times are already slipping into November for select configurations in the United States. Customers ordering a SIM-free/Pacific Blue/128GB version of the iPhone 12 Pro, for example, are already facing an estimated delivery window of...

Hands-On With Apple's MagSafe Charger for iPhone 12

Monday October 19, 2020 11:54 am PDT by
Alongside the new iPhone 12 models, Apple introduced a MagSafe charger that attaches to the back of the iPhones using magnets embedded both in the charger and in the iPhone. It allows for speedier charging and paves the way for a portless iPhone in the future. MagSafe chargers are shipping out and are in some Apple retail locations now, and we picked one up to check it out. Subscribe to the ...

Apple Offering Free AirPods With iPhone 11 Purchase in India as Part of Diwali Celebration

Friday October 16, 2020 12:35 pm PDT by
Apple today launched a new Diwali promotion in India that will see the company providing customers with a set of AirPods with the purchase of any iPhone 11 model. The new iPhone 12 models are not part of the promotion. Apple is offering the standard AirPods With Charging Case free with purchase, but customers can choose to upgrade to the AirPods with Wireless Charging Case or the AirPods Pro....