Facebook acknowledged a bug that caused hundreds of millions of user passwords (dating back to 2012) for both Facebook and Instagram to be stored as readable text internally. This basically means that thousands of Facebook employees could have searched for and found them. Facebook says they weren’t accessible outside of the company, and that there’s no evidence employees did in fact abuse or improperly access them. We say, change it anyway.
Organizations can store account passwords securely by scrambling them with a cryptographic process known as hashing before saving them to their servers. This way, even if someone gets those passwords, they won’t be able to read them, and a computer would find it difficult unscramble them. As a prominent company with billions of users, Facebook knows that it would be a jackpot for hackers and invests heavily to avoid the liability and embarrassment of security mishaps.
As part of a routine security review in January, Facebook found that user passwords were being stored in a readable format within its internal data storage systems. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” says Pedro Canahuati, VP engineering, security and privacy in a blog.
According to cybersecurity journalist Brian Krebs, the plaintext passwords had been searchable by Facebook employees in some cases since 2012. An anonymous Facebook employee told Krebs that the firm is probing a series of security failures after employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
Who is impacted?
Facebook says it will be notifying everyone whose passwords were stored in this way. And it’s not a small amount: Hundreds of millions could be affected, Canahuati says. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
It’s safer to change your Facebook and Instagram passwords right now.