Security researcher Brian Krebs reported earlier today that Facebook had been improperly storing user passwords for years, making them widely accessible to thousands of company employees. The number of users potentially affected by this is in the hundreds of millions, going back as far as 2012.
According to Krebs, “Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.” Krebs’s source said that there was no evidence any of the company’s tens of thousands of employees misused the data, but “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.”
Web services are not supposed to ever store user passwords in plaintext (that is, as they actually appear). Oftentimes, they will “hash” the password, running it through a cryptographic program that spits out a different string of characters, and store that instead. So often when you submit a password to login, the web service runs it through the same program, then compares your submission and compares that to the hash in its database. Hashes are meant to be easy to generate, but difficult to reverse engineer, making them more secure. Storing passwords in plaintext is universally frowned upon (unless you’re a hacker, I guess).
Scott Renfro, a Facebook engineer, told Krebs, “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data.”
In a blog post ironically titled, “Keeping Passwords Secure,” Facebook said it had caught the issue affecting “some user passwords” in January and it was now fixed. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company wrote.