Facebook made a major media announcement on March 21st (Thursday) and said that an internal security review had found that the passwords of hundreds of millions of users had been stored on company servers without encryption and that this practice had being going on for at least seven-years. Every account added to Facebook since 2012 is affected.
The company says that although thousands of employees fro the company had access to the data, that so far, it has not found any issues that user data and passwords were accessed. An estimate of the Facebook user base indicates that 60+ million Vietnamese user files are contained in the “hundreds of million” files that are involved.
Brian Krebs, a security researcher, published a blog on Thursday that detailed this latest Facebook security issues and the encryption issues. According to Krebs, Facebook employees built applications that captured the passwords of users and stored them as plain text on company servers, meaning a password would be readable just the same as it is entered to log in.
Pedro Canahuati, vice president of engineering for security and privacy at Facebook, wrote in a blog post in a response to Krebs report that, "As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable."
Sources at Facebook, who wished to remain anonymous, said that between 200 million and 600 million Facebook users may have had their account passwords stored in plain text. These password and user data were then searchable by more than 20,000 Facebook employees and employees of the company accessed that data.
Access logs for the “My Facebook” engineering and management team, showed that more than 2,000 developers and engineers made approximately nine million internal queries for data elements that contained plain text user passwords.
In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data and that no password resets would be required and that the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
This latest problem for Facebook comes at a time when the company is being looked at by regulators across the globe. The company has been involved in multiple scandals, including the release of data to Cambridge Analytica in the 2016 U.S. presidential race.
• In the fall of 2018, EU regulators announced a $1.6 billion USD fine against the company for a data breach and in the United Kingdom, the company was fined 500,000 GBP for the same infraction.
• At the beginning of March, Facebook faced renewed criticism when it was reported that phone numbers used for security reasons were also being used for advertising and marketing and made users searchable across the company’s multiple platforms through the phone numbers.
• Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest tech companies and that a grand jury in New York has been conducting the investigation. The companies struck deals with Facebook to access user data like friend lists and contact information, without explicit consent from its users.
In response to the mounting barrage of negative reports about the company, and with calls from regulators in Washington D.C. that the company be regulated as a media company and that its different components should be broken apart, Facebook CEO Mark Zuckerberg that the company would be pivoting to a privacy-first model although few details were announced.
In the meantime, although Facebook says its not necessary to reset passwords, security experts recommend that the platforms users be proactive and reset their passwords as a normal and prudent personal security step.