Facebook Just Admitted to Storing Millions of User Passwords
Facebook's problems with data security never seem to come to an end. After a report by Kerb on Security, the company has admitted to have stored hundreds of millions of user passwords in plain text within its internal data storage systems.
Facebook, however, says that it has fixed the issue and found no evidence of the passwords being misused internally or being accessed by anyone outside of Facebook.
A blog, signed by Facebook VP for Security and Privacy Pedro Canahuati, said that the people affected will be notified. Facebook estimates that it will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.
Now, although it is said that this does not make for password resets, it does raise a few important questions, some not answered in the company's statement – How many passwords were stored? For how long were they accessible? How many people were able to access the passwords? If it was for a decent amount of time, why did Facebook retain them for long? And how was the company unaware of this for so long?
The Kreb on Security report says that a Facebook insider told them that the company is still trying to determine the exact number of passwords and for how long have they been in the database.
Facebook's software engineer, Scott Renfro told Kreb on Security that the issue first came to light in January 2019 when security engineers were reviewing some new code noticed passwords were being inadvertently logged in plain text.
The incident could be a violation of the EU’s new General Data Protection Regulation (GDPR), which mandates that companies store passwords securely and notify anyone affected by a privacy breach within 72 hours, a Buzzfeed report said.
Generally, websites store users' passwords by scrambling them using a cryptographic process called hashing, that stores passwords in random codes on the server, so that even if someone has access to the passwords, they will not be able to read them and a computer will not be able to unscramble them.
Twitter also had a familiar fallout but the number of people that had access to the passwords was relatively low.