Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees – in some cases dating back to 2012, KrebsOnSecurity has learned. Facebook says that an ongoing survey has so far not found any indication that employees have abused access to this data.
Facebook examines a number of security errors where employees built applications that logged unencrypted passwords to Facebook users and stored it in plain text on internal company servers. It is, according to a senior Facebook employee, familiar with the study, who spoke on condition of anonymity because they were not authorized to speak to the press.
The Facebook source said the survey so far indicates between 200 million and 600 million Facebook users may have received their account passwords in plain text and can be searched by more than 20,000 Facebook employees. The source said that Facebook is still trying to determine how many passwords were exposed and how long, but so far, the survey has uncovered files with plain text user passwords in those going back to 201
My Facebook insider said that access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data items that contained plain text user passwords.
"The further we go into this analysis, the more comfortable the legal people [at Facebook] with the lower limits" of affected users, said the source. "Currently, they are working on an attempt to reduce this number even more by counting only things we have in our data warehouse."
In an interview with KrebsOnSecurity, Facebook software engineer said Scott Renfro The company was not ready to talk about specific numbers – such as the number of Facebook employees who could have accessed the data.
Renfro said the company was planning to warn Facebook users but that no password schemes would be required.  "We have not found any cases so far in our studies, where someone intentionally searched for passwords, and we have not found any evidence of abuse of this data," Renfro says. "In this situation, what we have found, these passwords are inadvertently logged, but there was no actual risk coming from this. We want to make sure we reserve these steps and only force a password change in cases where surely are indications of abuse. "
A written statement from Facebook to KrebsOnSecurity says the company expects to" hundreds of millions of Facebook Light users, tens of thousands of other Facebook users and tens of thousands of Instagram users. "Facebook Lite is a version of Facebook designed for low-speed connections and low-spec phones.
Both Github and Twitter were forced to admit similar stumbling in recent months, but in both of these cases, regular text user passwords were available to a relatively small number of people within those organizations and for much shorter periods.
Renfro said that the problem first came to light in January 2019, when security engineers who reviewed a new code noted, passwords were continuously logged in plain text.
"This asked the team to set up a small task force to make sure we did a wide-ranging review of where this could happen," Renfro said. "We have a lot of controls in place to try to mitigate these issues and we are investigating long-term infrastructure changes to prevent this from moving on. We are now reviewing some log files to see if there has been abuse or other access to this data. "
Facebook's password is unsatisfactory for a hard month for the social network. Last week The New York Times reported that federal lawyers are conducting a criminal investigation into data trades Facebook teamed up with some of the world's largest technology companies.
Earlier in March, Facebook was exposed to security and privacy experts to use phone numbers for security reasons – such as two-factor authentication – for other things (such as marketing, advertising, and making users searchable via their phone numbers across social network different platforms).
Update at. 11:43: Facebook has posted a statement on this event here.
Tags: Facebook, plaintext passwords, Scott Renfro
You can jump to the end and leave a comment. Pinging is currently not allowed.