Facebook has admitted to storing hundreds of millions of user passwords in plain text, and potentially accessible by its employees, for years, though the social network insists that there’s no sign that its poor security practice was taken advantage of. Even so, Facebook plans to notify every one of its users whose password was stored that way.
However, Facebook will not be forcing those users to reset their passwords. In cases of previous security lapses, the site has proactively locked down affected users’ accounts and demanded that they create a new password before they can regain access.
The security screw-up was spotted by researcher Brian Krebs, who found that Facebook’s bad password management dated back in some cases to 2012. Employees at the social network apparently “built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers,” according to one senior team member. Anything between 200 million and 600 million users could have been impacted, Facebook’s ongoing investigation has reportedly found.
Facebook confirmed the review, though attempted to downplay its severity. According to the company, “some user passwords” had been stored in a readable format. The issue has been addressed, Facebook says. However, the number of people that will be alerted that their passwords were affected is significant.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Facebook insists. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
The social network also goes on to point out the ways in which it attempts to avoid unauthorized access of its users’ profiles. That includes two-factor authentication, alerts being sent out for login attempts from new or unrecognized places, and monitoring data breaches on other services which might have seen users recycle passwords for Facebook. Of course, all that doesn’t really help if you’re storing those passwords in a plain text file somewhere.
Facebook’s investigation is ongoing. The error was spotted initially in January 2019, software engineer Scott Renfro said, after a routine security review of new code. They spotted that passwords were also being logged in plain text.
“In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this,” Renfro pointed out. As for the reason why Facebook won’t be implementing a mandatory password change, the engineer says it would be an overreaction. “We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
What remains to be seen is whether the lapse will bring increased regulatory scrutiny down on Facebook. The company has suffered numerous security issues over recent years, prompting politicians and other to call for stricter controls. At the same time, storing passwords in plain text could well see Facebook falling foul of European GDPR (General Data Protection Regulation) laws.
Last year, indeed, one social media company was fined but the European Union for storing passwords in plain text, after a data breach that affected 800,000 people. The fine was intentionally kept low, with data watchdogs citing both the company’s cooperation and a desire to avoid bankrupting it with an undue financial burden. Whether it would be so generous to Facebook, should legal efforts begin over this issue, remains to be seen.