Facebook has acknowledged storing hundreds of millions of user passwords in plaintext files for years, dating back to at least 2012. To quote my colleague, David Cardinal: “Of course they did. Can we just pre-write horror stories about Facebook so we’ll be ready when each of them become true?”
Because really, at this point, that’s a pretty good summary of the situation. KrebsonSecurity researcher Brian Krebs broke the story after speaking to a Facebook employee. Between 200 million and 600 million user accounts were impacted and the data was stored on internal servers where some 20,000 employees had access to them. Facebook is reportedly still attempting to determine how many passwords were exposed and exactly who had access to them, but the flaw dates back to at least 2012. Some 2,000 engineers or developers made an estimated 9 million queries against the database for elements that contained plaintext user passwords.
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
According to Facebook software engineer Scott Renfro, the company has not detected any signs that the repository was misused or penetrated by bad actors. “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
Nonetheless, Facebook expects to notify tens of millions of Facebook users, hundreds of millions of users of its low-speed, low-overhead service Facebook Lite, and tens of thousands of Instagram users. The impact metrics suggest the issue was largely related to FB Lite, though the reason for this overlap isn’t currently clear.
Facebook has published an article on the topic, but most of it just reviews the company’s existing security practices and minimizes the fact that the company was storing critical user data in the least-secure method possible. The fact that the data does not appear to have been misused is, of course, a good thing. But with lawsuits and federal investigations into its various practices mounting, disclosures like this only further emphasize how slipshod Facebook’s practices truly are. The “move fast and break things” mentality that Mark Zuckerberg espoused didn’t have exceptions for security. Storing hundreds of millions of plaintext passwords for seven years (if not longer) is proof that such approaches encompassed security.
At this point, the one certainty is that we’ll be talking about Facebook again in a few more days or weeks, once again detailing whatever cataclysmic failure of trust, ethics, or long-term thinking has just leaked. It’s no longer a question of whether or not these things have happened — just when we’ll find out about them and how much additional damage the company has done.
- Facebook Uses 2FA Phone Numbers to Help Other Users Find You
- Health Apps Caught Sharing Personal Data With Facebook
- Facebook Will Shut Down Its Data Collection VPN Onavo