Facebook's problems with data security never seem to come to an end. After a report by Kerb on Security, the company has admitted to have stored hundreds of millions of user passwords in plain text within its internal data storage systems.
Reports estimate that about 600 million Facebook users’ passwords may have been stored in plain text and searchable by more than 20,000 Facebook employees.
Facebook, however, says that it has fixed the issue and found no evidence of the passwords being misused internally or being accessed by anyone outside of Facebook.
A blog, signed by Facebook VP for Security and Privacy Pedro Canahuati, said that the people affected will be notified. Facebook estimates that it will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.
Now, although it is said that this does not make for password resets, it does raise a few important questions, some not answered in the company's statement – How many passwords were stored? For how long were they accessible? How many people were able to access the passwords? If it was for a decent amount of time, why did Facebook retain them for long? And how was the company unaware of this for so long?
The Kreb on Security report says that a Facebook insider told them that the company is still trying to determine the exact number of passwords and for how long have they been in the database.
The source, however, said that access logs showed about 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
Facebook's software engineer, Scott Renfro told Kreb on Security that the issue first came to light in January 2019 when security engineers were reviewing some new code noticed passwords were being inadvertently logged in plain text.
Facebook told WIRED that the exposed passwords weren’t all stored in one place, and that the issue didn’t result from a single bug in the platform’s password management system.
The incident could be a violation of the EU’s new General Data Protection Regulation (GDPR), which mandates that companies store passwords securely and notify anyone affected by a privacy breach within 72 hours, a Buzzfeed report said.
Generally, websites store users' passwords by scrambling them using a cryptographic process called hashing, that stores passwords in random codes on the server, so that even if someone has access to the passwords, they will not be able to read them and a computer will not be able to unscramble them.
Facebook says it also masks the passwords using hashing, but since when is still a matter of question.
Twitter also had a familiar fallout but the number of people that had access to the passwords was relatively low.
(With inputs from Kreb on Security, WIRED and Buzzfeed.)
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)