SAN FRANCISCO (AP) – Facebook left hundreds of millions of user passwords readable by employees for years, the company recognized Thursday after a security researcher postponed the course.
By storing passwords in readable plain text, Facebook violated basic computer security practices. They encourage organizations and websites to store passwords in a coded form that makes it almost impossible to restore the original text.
"There is no valid reason why anyone in an organization, especially the size of Facebook, should have access to the user's passwords in plain text," said cyber security expert Andrei Barysevich of the recorded future.
Facebook said there is no evidence that employees are abusing access to this data. But thousands of employees could have searched for them. The company said the passwords were stored on internal company servers where no outsiders could access them. Nevertheless, some privacy experts suggested that users changed their Facebook passwords.
The incident reveals another great and fundamental oversight of a company that insists that it is a responsible guardian of the personal data of its 2.3 billion users worldwide.
The security blog KrebsOnSecurity said that Facebook may have left the passwords vulnerable to about 600 million Facebook users. In a blog post, Facebook said it would likely "hundreds of millions" of Facebook Lite users, millions of Facebook users and tens of thousands of Instagram users, save their passwords in plain text.
Facebook Lite is a version designed for people with older phones or low-speed Internet connections. It is used primarily in developing countries.
Last week, Facebook CEO Mark Zuckerberg presented a new "privacy-focused vision" for the social network that would emphasize private communication on public sharing. The company wants to encourage small groups of people to continue encrypted conversations that neither Facebook nor any other outsider can read.
However, the fact that the company failed to do as simple as encrypting passwords raises questions about its ability to handle more complex encryption problems ̵
Facebook said it discovered the problem in January. But security researcher Brian Krebs wrote that in some cases the passwords had been stored in plain text since 2012. Facebook Lite was launched in 2015, and Facebook bought Instagram in 2012.
The problem according to Facebook is not due to a single insect. During a routine review in January, it says it was found that plain text access codes were accidentally captured and stored in their internal storage systems. This happened in a number of circumstances – for example, when an app crashed and the resulting crash log included a captured password.
But Alex Holden, the founder of Hold Security, said Facebook's explanation is not an excuse for sloppy security practices that allowed so many passwords to be exposed internally.
The future Barysevich said he could not remember any major company being caught and leaving so many passwords exposed. He said he has seen a number of cases where many smaller organizations made such information readily available – not just to programmers, but also to customer support teams.
Security analyst Troy Hunt, who runs the "haribeenpwned.com" site The situation can be embarrassing for Facebook, but not dangerous unless an opponent has accessed the passwords. Facebook has had major breakages, most recently in September, when the attackers had access to about 29 million accounts.
Jake Williams, President of Rendition Infosec, said keeping plain text passwords is "unfortunately more common than most of the industry's talk about" and tends to happen when developers try to fix a system of errors.
He said the Facebook blog post suggests saving passwords in plain text, may have been "a sanctioned practice", even though he said it is also possible that a "rogue development team" was to blame.
Hunt and Krebs both resembled Facebook's lack of similar stumbling last year on a much smaller scale on Twitter and GitHub; the latter is a site where developers store code and track projects. In these cases, software errors were accused of randomly storing plaintext passwords in internal log files.
Facebook's normal password access procedure is to store them coded, the company noted Thursday in its blog post.
It is good to know, although Facebook engineers apparently added code that defeated the protection, said security researcher Rob Graham. "They all have the right locks on the doors, but someone left the window open," he said.
Bajak reported from Boston.