Facebook has acknowledged storing hundreds of millions of user passwords in plaintext files since 2012. However, these passwords (at least 200 million of them) were only visible to Facebook employees. according to Krebson Security researcher, Brian Krebs broke the story after speaking to a Facebook employee.
It’s a well-known fact that storing passwords in readable plaintext is an insecure way of storing passwords. So I wonder what the hack was Facebook thinking/doing since 2012 by not changing the storage place of these passwords? The company is reportedly still attempting to determine how many passwords were stored in plain text and exactly who had access to them. As of now, what is only known is that some 2,000 engineers or developers tried to access the passwords.
Did anybody access the passwords?
According to Facebook software engineer Scott Renfro, the company has not detected any signs that the repository was misused or penetrated by bad actors.
We have not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data.
In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we are reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.
Facebook has published an article on the topic, but most of it was just reviewing its existing security practices and underplays the issue of storing passwords in the least-secure method possible. It probably underplayed the issue because they haven’t found out if anyone accessed them- which is a good thing thus far.
But disclosures like these only further emphasize how sloppy Facebook’s practices truly are. Storing hundreds of millions of plaintext passwords for seven years (if not longer) is proof that surely that Facebook is still miles away from valuing user’s privacy and security.