Facebook stored millions of passwords in plain text but says nobody abused them

Facebook stored millions of passwords in plain text but says nobody abused them

We may earn a commission for purchases made using our links.

Facebook’s mishandling of users’ data earned it criticism last year as the revelations about the Cambridge Analytica scandal were served out in the open. The company was condemned for letting a host of apps harvest users’ data without their consent. Besides this harvesting of data which was abused for profiling the preferences of millions of users and sending them highly targetted political ads before Brexit and the US elections of 2016, Facebook’s app was found to be scrapping users’ call logs and messages without their information. The entire episode not only cost Facebook with its reputation but also resulted in plunging stock and a loss of more than $100 billion. CEO Mark Zuckerberg took full responsibility for the incident and also promised that the company would take every step possible to keep users’ data secure.

However, even as the new year unfolds, troubling times seem to be returning for Facebook. Another major gaffe has resulted in the passwords of “hundreds of millions” of Facebook users being exposed to more than 20,000 employees. The company admitted that these passwords were available in a “readable format” within its internal storage systems.

As per KrebsonSecurity, between 200 million and 600 million users could have been affected by this flaw, even though Facebook denies the possibility of this data being accessible to outsiders and refrains from sharing exact numbers. The company, however, confirms that the victims include Facebook Lite users in a vast majority, alongside tens of millions of Facebook users, and at least tens of thousands of Instagram accounts that were affected. Facebook Lite is the stripped down version of the Facebook app that is intended for markets with poor data connectivity.

Facebook says that it will notify each of the users whose passwords had been stored in this format. Further, Facebook’s engineer Scott Renfro told KrebsonSecurity that users will not be required to reset their passwords since there was no noted case of misuse of this data by employees. Meanwhile, Facebook recommends users to secure their accounts by enabling a security key or two-factor authentication.

We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data,” Renfro said.

However, it is not exactly clear how secure would 2FA make users feel. A few weeks ago, several users complained that anyone can find them on Facebook with the numbers entered for 2FA, with no option to opt-out. In the past, there have been reports of Facebook sharing these mobile numbers with advertisers. Even with this incident, Facebook is still trying to speak in that pacifying voice while we’re yet to see some convincing efforts in the terms of privacy.

Source: Facebook Newsroom