View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 21, 2019updated 07 Jul 2022 10:11am

How Much Worse Can It Get? Facebook Stored Up to 600M Plain Text Passwords

What next?

By CBR Staff Writer

Never has Nick Clegg’s new job looked less enviable: in the latest privacy car crash for Facebook, the company has been caught storing up to 600 million users’ passwords in plain text on internal company servers.

These may have been accessed by up to 2,000 engineers or developers who made approximately nine million internal queries for data elements that contained plain text user passwords, an internal source told investigative reporter Brian Krebs, who broke the story.

Krebs said a Facebook inquiry has uncovered archives with plain text user passwords in them dating back to 2012.

Confirming the howler, Pedro Canahuati, Facebook VP Engineering, Security and Privacy, wrote:We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”

Facebook Passwords Exposed: “There is nothing more important to us than protecting people’s information”

“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook…used by people in regions with lower connectivity.

He added: “In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them. There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.”

No apology was made. The company said “we have found no evidence to date that anyone internally abused or improperly accessed them.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The revelation was met with disbelief: Sam Curry, chief security officer at Cybereason, said: “Passwords in a flat file for anyone to read?! Are you kidding me? Give me a break! Everyone, including Facebook, have tech debt and security debt that piles up. But that’s not an excuse any longer. Facebook is starting to look like critical social infrastructure, where there responsibility is to the public. It’s past time to go back and clean the skeletons out of the closets. How can we trust this platform to get bigger and get more connected under the hood if they can’t do the basis blocking and tackling right? Facebook needs a security strategy for the 21st century not the 20th century. ”

Emmanuel Schalit, CEO, Dashlane said in an emailed statement: “You may not be able to control the security architecture of the digital services you use every day and that hold so much of your data, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the “containment” doctrine. One example is using a password manager with a Password Changer capability, this can be easily done, and used to instantly generate and change your passwords with a single click – ensuring proper and regular cyber hygiene.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.