‘Glitch’ Exposes Millions of Facebook Passwords Internally

Security researcher Brian Krebs revealed that up to 600 million passwords of Facebook users were mistakenly stored in plain text and accessible by up to 20,000 Facebook employees. The passwords were reportedly logged and stored without encryption. KrebsOnSecurity explained yesterday that in some cases, passwords were searchable as far back as 2012. Facebook says it has resolved a “glitch” that may be responsible for the problem and will be notifying users of Facebook, Facebook Lite and Instagram. The company said that its internal investigation did not uncover any misuse of the data.

“Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers,” notes KrebsOnSecurity. “That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.”

Facebook posted a response, explaining: “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”

“The security lapse appears similar to others that have occurred at tech companies, including Twitter, which asked 331 million users to change their passwords in May after discovering that one of its internal systems logged users’ unencrypted passwords,” reports The Wall Street Journal.

Facebook’s post details how the company takes steps to properly secure user data, but also provides suggestions for individuals who want to keep their accounts secure. Those steps include changing passwords, creating “strong and complex passwords,” avoiding reuse of passwords across services, using password manager apps, and “enabling a security key or two-factor authentication.” However, the company says password resets are not required as a result of the recent issue.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Facebook software engineer Scott Renfro told KrebsOnSecurity. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

According to Facebook, the recent issue was first discovered in January during a routine security review that revealed most of those affected were Facebook Lite users.

“The news caps a long period of trouble for Facebook over the way it handles and protects user data,” reports BBC News. “In September last year, it said information on 50 million users had been exposed by a security flaw. And earlier in 2018 it revealed that data on millions of users had been harvested by data science company Cambridge Analytica.”