SAN FRANCISCO – Facebook said Thursday that millions of user account passwords had been kept insecure, potentially allowing employees to access people's accounts without their knowledge.
The Silicon Valley company published the security error around the same time Brian Krebs, a cyber security writer, reported the password vulnerability. Mr. Krebs said a Facebook review had found that hundreds of millions of user passwords from 2012 were stored in a format known as plain text, making the passwords readable to more than 20,000 of the company's employees.
Facebook said it had not found any signs of abuse and that it would start warning millions of its users and thousands of Instagram users about the problem. The company said it would not require people to reset their passwords.
In response, the company repeatedly said it plans to improve how it protects people's data.
"There is nothing more important to us than protecting people's information, and we will continue to make improvements in our ongoing security efforts on Facebook," Pedro Canahuati, Facebook's Vice President of Security and Privacy Technology, said in a blog post on Thursday.
Here is an overview of what you need to know about the password's vulnerability and what you can do.
What is the problem?
Saving passwords in plain text is a bad security practice. It leaves passwords widely open to cyber attacks or potential employee abuse. A better security practice would have been to keep the passwords in an encrypted format that is impossible.
Facebook said it had not found any signs of abuse, but that does not mean that it did not occur. Referring to a Facebook insider, Mr Krebs said that entry records revealed that 2,000 engineers or developers had made nine million requests for data containing plain-text user passwords.
A Facebook employee could have shared your password with someone else who would have incorrect access to your account. Or an employee could have read your password and used it to log on to another site where you used the same password. There are plenty of options.
Ultimately, a company like big, rich and staffed as Facebook must have known better.
How do I know if anyone had access to my account?
There is no easy way to know. Facebook is still investigating and will begin to warn people who might have their passwords stored in plain text format.
What should I do?
Facebook does not require users to change their passwords, but you still have to.
There are many methods for setting strong passwords. For example, do not use the same password on multiple websites and do not use your Social Security number as a username or password. You can also configure security features such as two-step verification.
There are a few other steps to take. I also recommend that you create your Facebook account to receive alerts if an unrecognized device logs in to the account. To do so, go to your Facebook app settings, tap Security and login, and then tap Get unrecognized logs alerts. From here, you can choose to receive alerts via messages, email or messages.
A review of devices that are signed in to your account may also be fine so you know what laptops, phones, and other gadgets are already accessing your account. On the Facebook Security and Login page of the "Where you are logged in" tab, you can see a list of devices that are signed in to your account and their locations.
If you see an unknown gadget or device logged in from an odd location, click the "Remove" button to launch the device out of your account.