Facebook employees had access to millions of user passwords
21 March 2019 | 0
Facebook has confirmed that hundreds of millions of user passwords were being stored in a “readable format” within its servers, accessible to internal Facebook employees. Affected users will be notified, Facebook said, so they can change those passwords.
Interestingly, Facebook downplayed and confirmed the problem in the same post, filed Thursday, after researcher Brian Krebs issued his own report. Facebook’s Pedro Canahuati, vice president of engineering for security and privacy, initially referred to “some” user passwords that were accessible to Facebook employees. A paragraph later, he revealed that “hundreds of millions of Facebook Lite users, millions of Facebook users, and tens of thousands of Instagram users” would be notified.
Facebook Lite was launched in 2009, initially in the US and India, as a simplified version of Facebook accessible to those without access to high-bandwidth internet services. It has since been pushed to many other countries.
Facebook said that the issue is an internal one. “To be clear, these
passwords were never visible to anyone outside of Facebook and we have
found no evidence to date that anyone internally abused or improperly
accessed them,” Canahuati wrote.
Facebook also discovered issues with how it stored information for
things like access tokens, and fixed them. “There is nothing more
important to us than protecting people’s information, and we will
continue making improvements as part of our ongoing security efforts at
Facebook,” Canahuati wrote.
Researcher: 20,000 employees had access
Krebs paints a different story. Though Krebs stressed that he had no information that Facebook employees had abused their ability to read user passwords, a source told him that employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
In total, between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees, dating back to 2012, Krebs wrote.
Somewhat oddly, a Facebook engineer named Scott Renfro told Krebs,
“What we’ve found is these passwords were inadvertently logged but that
there was no actual risk that’s come from this.”
Facebook has already had to deal with scandals that include the aftermath of a terrorist in New Zealand livestreaming his attack on a Christchurch mosque on Facebook Live, and changes made to its advertising policies to prevent discrimination in housing and credit advertising. And those were just the last two days.
Whether there was risk or not, if you’re notified by Facebook that your password may have been seen by Facebook employees, change it.
IDG News Service