Facebook exposed passwords of 200 million to 600 million users in plain text

Aadil Raval
By Aadil Raval
4 Min Read

Facebook currently has more than 2.5billion active users that makes it the largest social networking site in the world. However, it has been groped in a number of controversies regarding various data breaches, its involvement with Cambridge Analytica and more. But a new data breach has come to light according to which, passwords of millions of users were exposed as they were stored in a plain text accessible to Facebook employees.

Brian Krebs from security firm KrebsOnSecurity unearthed the data breach after a senior executive from Facebook discussed the incident on condition of anonymity. According to the source, some of the engineers at Facebook built applications that would allow them to log user’s passwords in plain text stored in the company’s internal servers. He added that approximately 200 million to 600 million user passwords were exposed during the incident dating back as early as 2012 for which, Facebook has found archives of passwords logged in plain text instead of encrypted format.

The source further added that no signs of improper or unlawful use of any credentials have been recorded as of now. He added that more than 20,000 employees at Facebook could have accessed the archives, however, only 2,000 employees were recorded posting more than nine million queries to call data elements asking for passwords in plain text, however, there are no signs of improper usage of these credentials according to Facebook.

passwords of millions of users were exposed as they were stored in a plain text accessible to Facebook employees.

The data breach affected users of Facebook, Facebook Lite, and Instagram as well which is Facebook-owned. Anyhow, Facebook doesn’t recommend users to change their passwords since no account has been affected due to this data breach yet. Scott Renfro, Facebook software engineer said that Facebook is not willing to talk about the exact number of users affected or the number of employees who could have accessed the logged passwords in unencrypted format, however, an internal investigation is ongoing and will reach towards the conclusion to discover how these passwords were inadvertently logged.

Facebook usually uses techniques like hashing and salting to encrypt sensitive data types like passwords, however, it didn’t follow these techniques with this bunch of inadvertently logged passwords that was accessible to hundreds of Facebook employees and that too in plain text.

Similar to Facebook’s latest password expose incident, Twitter and Github discovered the same issues, however, the difference was that the duration was shorter and so are the number of people involved in these organizations who could have accessed the data. Facebook discovered the issue back in January 2019 after a team of security engineers was reviewing new code where they stumbled upon passwords that were logged as plain text.

This called for a task force that Facebook constituted who are responsible to investigate the matter at hand and to prevent any damage caused due to the issue. Facebook will send out notifications for affected users although there is no need to change your passwords. However, if you don’t feel like keeping the same password, we would recommend you to change it asap since passwords must be changed from time to time.

 

Source

TAGGED:
Share This Article
Follow:
A wordsmith, a kin tech observer, a sci-fi fanatic and a scientific documentary buff.
Leave a Comment

Facebook currently has more than 2.5billion active users that makes it the largest social networking site in the world. However, it has been groped in a number of controversies regarding various data breaches, its involvement with Cambridge Analytica and more. But a new data breach has come to light according to which, passwords of millions of users were exposed as they were stored in a plain text accessible to Facebook employees.

Brian Krebs from security firm KrebsOnSecurity unearthed the data breach after a senior executive from Facebook discussed the incident on condition of anonymity. According to the source, some of the engineers at Facebook built applications that would allow them to log user’s passwords in plain text stored in the company’s internal servers. He added that approximately 200 million to 600 million user passwords were exposed during the incident dating back as early as 2012 for which, Facebook has found archives of passwords logged in plain text instead of encrypted format.

The source further added that no signs of improper or unlawful use of any credentials have been recorded as of now. He added that more than 20,000 employees at Facebook could have accessed the archives, however, only 2,000 employees were recorded posting more than nine million queries to call data elements asking for passwords in plain text, however, there are no signs of improper usage of these credentials according to Facebook.

passwords of millions of users were exposed as they were stored in a plain text accessible to Facebook employees.

The data breach affected users of Facebook, Facebook Lite, and Instagram as well which is Facebook-owned. Anyhow, Facebook doesn’t recommend users to change their passwords since no account has been affected due to this data breach yet. Scott Renfro, Facebook software engineer said that Facebook is not willing to talk about the exact number of users affected or the number of employees who could have accessed the logged passwords in unencrypted format, however, an internal investigation is ongoing and will reach towards the conclusion to discover how these passwords were inadvertently logged.

Facebook usually uses techniques like hashing and salting to encrypt sensitive data types like passwords, however, it didn’t follow these techniques with this bunch of inadvertently logged passwords that was accessible to hundreds of Facebook employees and that too in plain text.

Similar to Facebook’s latest password expose incident, Twitter and Github discovered the same issues, however, the difference was that the duration was shorter and so are the number of people involved in these organizations who could have accessed the data. Facebook discovered the issue back in January 2019 after a team of security engineers was reviewing new code where they stumbled upon passwords that were logged as plain text.

This called for a task force that Facebook constituted who are responsible to investigate the matter at hand and to prevent any damage caused due to the issue. Facebook will send out notifications for affected users although there is no need to change your passwords. However, if you don’t feel like keeping the same password, we would recommend you to change it asap since passwords must be changed from time to time.

 

Source

TAGGED:
Share This Article
Follow:
A wordsmith, a kin tech observer, a sci-fi fanatic and a scientific documentary buff.
Leave a Comment