If you woke up this morning and thought to yourself, “Hey, I haven’t heard any Facebook security scandal for a while.” Well, think again. Just yesterday, March 21, Krebs on Security reported, yet again, that the ever-popular social media platform has handled its users’ data inappropriately. This time, Facebook wrongfully stored user passwords and have them exposed to thousands of its employees.
Turns out, Facebook’s internal servers were storing millions of plain-texts, unencrypted user passwords.
According to the official report:
“Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
“That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.”
The routine test was conducted in January 2019 and no one has any clue why the Facebook security researchers announced it two months after the discovery. Hopefully, it’s not too late for the affected users, which may include you and me.
About 200 million to 600 million users were estimated to their passwords exposed, dating back as far back as to accounts created in 2012, with the mishandling of data. During this span of time, about 20,000 Facebook employees could search for anyone’s passwords and find them without a problem.
Facebook assured that they will notify the users who were affected by the company’s mistakes and will not require them to change their password to ensure security.
Scott Renfro, Facebook Software Engineer, told Krebs on Security:
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this.
“We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
Krebs on Security also has no evidence that the security breach affected the users negatively. Facebook made it clear the passwords were exposed only into internal servers. But this doesn’t mean we need to follow their instruction to not change your password. You might want to change it now, just in case. We can never tell if an employee starts thinking differently and mess up a user’s account randomly. I mean, 20,000 employees are hard to predict.
You might want to change your Instagram password as well, or any account linked with your personal account on Facebook.
Considering these findings, the company is now looking at other ways to store users’ data including things like access tokens.
Even with Facebook’s assurance that the affected users’ data were not maliciously used, it is still unbelievable that this issue tends to happen from time to time. Well, guess nothing’s perfect after all. The more these stories pop-up, despite Facebook’s promise to keep our personal data safe and secure, the more their promises mean less and less.