Facebook admits to storing Millions of Users Passwords in readable format

It’s another day, so time for another Facebook scandal, as the company admitted Thursday that it had stored hundreds of millions of its users’ passwords internally in a readable format.

The world’s largest social network said that during a routine review in January it had found the flaw in its internal data storage systems, adding that the company had now fixed the issue.

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Pedro Canahuati, vice-president of engineering, security and privacy, said. 

Mr Canahuati’s post was published shortly after a blog by cyber security journalist Brian Krebs first reported on the incident, citing a Facebook source who said that the account passwords of between 200m and 600m users may have been searchable by more than 20,000 Facebook employees. Mr Krebs claimed that some of these passwords were available in plain text as far back as 2012.

The company said it inadvertently logged passwords in plain text in a variety of circumstances, such as when it received reports of a user’s app crashing. Mr Canahuati said that Facebook had found “no evidence to date that anyone internally abused or improperly accessed them” or that anyone outside of Facebook had viewed the passwords.  However he said that the company would be notifying the users affected “as a precaution”.

He estimated this included hundreds of millions of users of Facebook Lite, a version of the platform used by people in regions with limited internet connections, plus tens of millions of other Facebook users and tens of thousands of users of Instagram, its photo-sharing app.

Facebook appears to be underhand as normal in revealing the issue,  only revealing the issue after it had been reported elsewhere first.  The social giant said it had not told regulators of the issue in January because it had planned to do so once it fully completed its internal investigation, which is expected to wrap up shortly.

It is unclear whether the latest incident represents a breach of the EU’s new data protection regulations, known as the General Data Protection Regulation, or GDPR. The Irish Data Protection Commissioner, which oversees compliance with GDPR, said in a statement:

“Facebook have been in contact and have informed us of this issue. We are currently seeking further information.”

Facebook said on Thursday that in the course of its routine security review, it had been “looking at the ways we store certain other categories of information” including another kind of key known as access tokens, adding that it had “fixed problems as we’ve discovered them”.

 

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.

 

By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.

 

You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.

 

Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services