Facebook admitted Thursday that it stored user passwords in plain text, leaving it readable by thousands of its employees.
The social media giant didn’t immediately respond to a WWD request for comment, but publicly acknowledged the glaring oversight in a blog post, which published after a security expert already uncovered the issue and posted about it on his own blog.
According to Pedro Canahuati, Facebook’s vice president of engineering, security and privacy, the company stumbled across it while it was doing “a routine security review in January.” Chalking the matter up to an errant bug, he said the problem has been fixed.
Facebook may have discovered the glitch in January, but security expert Brian Krebs believes that, in some instances, the vulnerability has been going on for years — as far back as 2012.
For Krebs, the sheer scope is staggering: He figures the platform’s failure to apply basic security protocol — like encrypting or scrambling the characters — may have affected the logins of as many as 600 million people.
According to Canahuati, Facebook does apply security protocols to logins, with systems that “are designed to mask passwords using techniques that make them unreadable.” But he didn’t disclose what went wrong this time, or what specific measures the company took to address this matter. He explained that the company stashes the passwords on internal servers, where no external actors could reach them, and internally, there was no evidence that any of its employees abused the access to this data.
Even so, Facebook plans to notify everyone whose passwords were affected “as a precaution,” Canahuati continued. It estimates that notifications will have to go out to “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of the network for people with older handsets or regions with slower connectivity.
For Instagram, the timing couldn’t be worse. The photo-sharing platform just announced a new checkout feature that allows users to save payment details and purchase goods directly in the app. But for the premise to work, shoppers must have confidence in the security of their logins, transactions and financial details.
In other words, security is much more fundamental to Instagram today than it was on, say, Monday.
The issue also puts a dent in Facebook’s apology tour. The company has been trying to win over policymakers and a public disenchanted with its handling of user data, ever since the Cambridge Analytica scandal came to light in 2017. In addition to appearing before Congress and sending other executives to D.C., chief executive officer Mark Zuckerberg has repeatedly emphasized that the company would be investing more to safeguard privacy and security.
And yet, the network has still suffered major breaches — like the September attack that affected millions of user accounts.
Now Zuckerberg has taken up a new “privacy-focused vision” that highlights private conversations more than public sharing. In practical terms, it would look like small groups conversing through encrypted chats. And, Facebook says, even the company wouldn’t be able to read them.