Change It Now: Millions of Facebook Passwords Exposed Internally

March 21, 2019 Updated: March 21, 2019

A report has said that millions of Facebook passwords were internally exposed, and the firm on March 21 said the problem has been fixed.

Researcher Brian Krebs of KrebsonSecurity broke the news about the security failure, saying that 600 million passwords were stored in plain text.

A source at Facebook told him that during an investigation, “between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.”

“Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012,” he wrote, citing the source.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source told him.

He added: “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

Facebook software engineer Scott Renfro went on record with Krebs, saying that the firm doesn’t have the exact numbers, including the number of employees who could have accessed the passwords.

The logo for Facebook appears on screens at the Nasdaq MarketSite in New York’s Times Square on March 29, 2018. (Richard Drew/AP Photo)

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro told Krebs. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

Facebook said the issue was discovered in January as part of a routine security review.

Majority of the affected were users of Facebook Lite, a version of the social media app largely used by people in regions with lower connectivity, Reuters reported.

Security firm Sophos said that users should “change [their] Facebook password now.”

“In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as 379f153­1753a7c43­ab4f4faace­212451, anyone looking at the stored data will see the actual password, right there, just like that,” it says. “Plaintext passwords used to be the rule, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years,” the website adds.

Forbes reported that Facebook will be alerting people whose passwords have been stored in plaintext.

“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” a Facebook official said.

The outlet also recommended that users should change their password.

Reuters contributed to this report.

Recommended