Facebook Employees Had Access to Millions of User Passwords Stored in Plain Text

[cageymaru]

In a new blog post entitled "Keeping Passwords Secure" Facebook VP Engineering, Security and Privacy Pedro Canahuati explains how the social media giant accidentally stored Facebook user's passwords on internal data storage systems in plain text. Pedro explains how "these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users." To keep your account safe, Facebook suggests changing your Facebook and Instagram passwords, pick strong passwords, use a password manager, and enable a security key or two-factor authentication.

In recent months, Facebook has vowed to clean up its act as it has been accused of sharing user data, one click account takeover bugs, paying minors to harvest their data without parental consent, had its enterprise certificate revoked by Apple, access token hack, Cambridge Analytica, and many more fines and hacks. I would suggest picking a password so long and complex that Facebook employees would get tired from writing it down.

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

 

[Darunion]

oh ffs.....

 

[purple_monster]

this isnt even that bad compared to what our collective brain has already forgotten, gosh the news moves SO fast:

https://motherboard.vice.com/en_us/article/bjpqw4/facebook-fires-employee-stalk-women-online
https://motherboard.vice.com/en_us/article/bjp9zv/facebook-employees-look-at-user-data
https://www.dailydot.com/debug/facebook-data-stalking-employee/

im sure anyone with database/api or however facebook is built internally can do whatever they want and find whatever they want with plenty of time before getting caught. how is the inverse not possible?

 

[raz-0]

I see Facebook hired that guy that used to work for Sony.

 

[bobdabilder]

Hahahahahahahahaha

 

[Ur_Mom]

Seriously? I think whoever did that is probably not going to work with anything regarding security. Something so simple, yet they screwed the pooch bad.

 

[mothandras]

What's Facebook?

 

[BloodyIron]

You can't disprove the credentials weren't abused. Therefore the reasonable thing to assume is they were abused and tell everyone to change their passwords and stop using those passwords anywhere. Did Facebook even do this? I don't think so.

They are seriously the most negligent corporation currently existing, and they don't even fucking care.

Shit like this is why people think businesses, executives and such, are above the law, and are not held accountable or punished for their actions and negligence, in the same way the individual citizen is.

Everyone should be treated 100% equally, no matter how big they are. Until then, we live in a two class society. The too big to fail, and the actual citizens.

 

[SvenBent]

these passwords were never visible to anyone outside of Facebook and

They shouldn;t be visible to facebook to begin with... That just bad IT right there

Facebook should be penalized for this. 5 bucks per name and 5 bucks per password. paid to the person the info is about.

 

[RealBeast]

oh ffs.....

And they suggest a strong password, like it's a user issue.

That would helps if FB could do something really crazy, like not keeping passwords in plain text files.

How strong is strong in plain text?

 

[greenman]

Pretty sure even phpfox doesn't store in plain text..

 

[Fresch]

People are people no matter who they are or where they work. If you are on the internet social media with real information you need to go get your head examined.

 

[katanaD]

And they suggest a strong password, like it's a user issue.

That would helps if FB could do something really crazy, like not keeping passwords in plain text files.

How strong is strong in plain text?

i work with some who LOVE to keep their end users passwords in excel... because it makes things easier for them..

 

[Oldmodder]

I am not much better, i have a little black book wherein i have put usernames and passwords for the past 10 years.


EDIT: okay lets say almost 20 years, as the book are a calendar and its from 2001.

 

[darckhart]

these passwords were never visible to anyone outside of Facebook and

They shouldn;t be visible to facebook to begin with... That just bad IT right there

Facebook should be penalized for this. 5 bucks per name and 5 bucks per password. paid to the person the info is about.

yea uh why are passwords even collected in plaintext....

 

[Gottfried Leibnizzle]

Somebody needs to put an "I" after "FB"...

 

[joobjoob]

Vast majority of people I know use the same email and passwords as often as possible.

 

[joobjoob]

Personally I love when passwords are hashed but not salted so all you have to do is copy in a a known hash and you are in.

Knowing to look for this I was involved in multiple infosec projects at previous employers to change the system before anyone caught on. To say nothing of government agencies where HINC decided to ignore the problem, and just play the normie card of "oh noes we wuz hacked!"

 

[Hashiriya415]

I share my FB pass with all my friends. FB means nothing to me.

 

[TheOne&OnlyZeke]

When I started my job, the passwords for all IT systems were stored in a password protected Access 2000 database

This was in a government body.

Sigh.....

 

[YeuEmMaiMai]

i wonder how many were

password
12345678
facebook
administrator

 

[MyNameIsAlex]

I am not much better, i have a little black book wherein i have put usernames and passwords for the past 10 years.


EDIT: okay lets say almost 20 years, as the book are a calendar and its from 2001.

How is this not secure? I do this too, it is in the safe. If the safe is not secure, then well I'm totally screwed anyways, the least of my problems is a Filipino 11 yr old photo shopping genitals on my hardfourm profile

 

[Jagger100]

i work with some who LOVE to keep their end users passwords in excel... because it makes things easier for them..

Well if they didn't they'd just have 1 or 2 or maybe 3 they recycle everywhere.

 

[ZenDragon]

yea uh why are passwords even collected in plaintext....

That is my question... while I am concerned about passwords being in plain text of course, and this particular incident is obviously a huge threat to users. I am more concerned that the encryption used is actually reversible such that they can be decrypted to begin with as that is more of a systemic issue. Passwords should always be stored using non-reversable encryption.

 

[IcePickFreak]

Seriously? I think whoever did that is probably not going to work with anything regarding security. Something so simple, yet they screwed the pooch bad.

Probably the head of security at Equifax now.

 

[Nenu]

There should be a minimum standard of security applied to user data otherwise the site is forcibly taken offline.
Call it a license that can be revoked when they breach it, along with suitable fines and offline times that are large enough to have an impact.
If they keep going offline people will migrate away and I will laugh.

 

[Darunion]

There should be a minimum standard of security applied to user data otherwise the site is forcibly taken offline.
Call it a license that can be revoked when they breach it, along with suitable fines and offline times that are large enough to have an impact.
If they keep going offline people will migrate away and I will laugh.

I really hate regulation because in most cases it really is just a money maker. In this I agree, it does go against the whole 'free internet' but I don't know of a solution otherwise. Probably couldn't force someone offline but I could see a certification that would be display on the page and link to a reg number to validate. Maybe it could be easier to teach people not to input into uncertified websites?

I really wish every single thing did not require an account.

 

[lcpiper]

You can't disprove the credentials weren't abused. Therefore the reasonable thing to assume is they were abused and tell everyone to change their passwords and stop using those passwords anywhere. Did Facebook even do this? I don't think so..

That is exactly what this guy is doing

 

[rinaldo00]

What's Facebook?

Facebook is eCancer

 

[Zareek]

Wow, what's next for Facebook? How else can they abuse people's trust? I'm not sure anything is left.

Oh yeah, let's buy one of those cameras with a screen on it so they can see what I do at home and take a look around. Maybe sell that information, I will get to see myself in boxer shorts in an ad for weight loss pills.