Facebook has been in the bad books of the lawmakers and privacy experts because of its data privacy issues and controversial business decisions.
This month, Facebook came under the light for using users’ phone numbers for marketing, advertising and making users searchable by their phone numbers across the social network’s different platforms. And it seems all ain’t well at Facebook! Right after the recent investigation report by New York Times, yesterday Facebook opened up about a major blunder of exposing millions of user passwords in a plain text, soon after Security journalist, Brian Krebs first reported about this issue.
This morning we announced an internal issue where we stored passwords incorrectly. We've found zero evidence that anyone outside of Facebook had access to these passwords and zero evidence of internal abuse. https://t.co/21IKC9PgOS
— Facebook Newsroom (@fbnewsroom) March 21, 2019
Facebook confessed that it had kept millions of user passwords in a ‘readable format’. Facebook’s engineers and other employees who had access to the company’s internal systems could see the plaintext passwords. Facebook found out in January during the company’s routine security review, that some user passwords were being stored in a readable format within their internal data storage systems.
Last year, after Alex Stamos, ex-Chief Security Officer at Facebook resigned from the company, Facebook stated that no one would replace Stamos. Facebook decided to not have a central point (CSO) but instead depend on the security teams, basically having no head leading the security team.
In an interview with KrebsOnSecurity, Scott Renfro, Facebook software engineer said, “The company (Facebook) wasn’t ready to talk about specific numbers, such as the number of Facebook employees who could have accessed the data.”
He further added, “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
Facebook’s login systems are designed to mask the passwords and thereby make them unreadable. This issue has been fixed and the company will notify the users whose passwords were stored in the plain text format.
Facebook’s blog post reads, “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.”
In a statement to Krebs on Security, a senior Facebook employee told that around 600 million passwords were stored in plain text, and some credentials have been stored in this way since 2012.
Facebook stated that no passwords were exposed externally and the company didn’t find any evidence of abuse till date.
Facebook has suggested a few steps that users can keep their account secure. Users can change their password in settings on Facebook and Instagram. Facebook suggests that its users avoid reusing passwords across different services. Users have been advised to pick strong and complex passwords for their accounts.
Further Facebook recommends that users enable a security key or two-factor authentication in order to protect their Facebook account by using a third party authentication app. This way, whenever a user logs in with his/her password, Facebook will ask for a security code or ask the user to tap their security key to verify.
Users are now questioning Facebook’s IT auditors and are wondering what it took the audit team this long to identify this security flaw. According to few others, Facebook opened up about this only because Kerbs on Security highlighted it, otherwise, the company would have kept it as a secret.
— Zack Whittaker (@zackwhittaker) March 21, 2019
Users are angry and according to them, Facebook is only concerned about their profits and don’t care about its users. Facebook has emphasized that this was an accident and unintentional. One of the users has complained that her account got hacked and she will be losing all of her content there.
My account was hacked and I was completely locked out.. are they not re-accessible? Is there a way I can have it restored? If not I’m losing 12 years of photos and 12 years of memories and 12 years of friendships in there!!!
— ashlee jackson (@ashleej53189596) March 22, 2019
Irrespective of whether this password exposure was intentional or not, it is undeniable that Facebook has a long way to go in terms of rebuilding trust and working on its products, policies and business decisions from a safety and security perspective.
To know more about this news, check out Facebook’s official announcement.