Never has Nick Clegg’s new job looked less enviable: in the latest privacy car crash for Facebook, the company has been caught storing up to 600 million users’ passwords in plain text on internal company servers.
These may have been accessed by up to 2,000 engineers or developers who made approximately nine million internal queries for data elements that contained plain text user passwords, an internal source told investigative reporter Brian Krebs, who broke the story.
Krebs said a Facebook inquiry has uncovered archives with plain text user passwords in them dating back to 2012.
Confirming the howler, Pedro Canahuati, Facebook VP Engineering, Security and Privacy, wrote: “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
Facebook Passwords Exposed: “There is nothing more important to us than protecting people’s information”
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook…used by people in regions with lower connectivity.
He added: “In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them. There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.”
No apology was made. The company said “we have found no evidence to date that anyone internally abused or improperly accessed them.”
The revelation was met with disbelief: Sam Curry, chief security officer at Cybereason, said: “Passwords in a flat file for anyone to read?! Are you kidding me? Give me a break! Everyone, including Facebook, have tech debt and security debt that piles up. But that’s not an excuse any longer. Facebook is starting to look like critical social infrastructure, where there responsibility is to the public. It’s past time to go back and clean the skeletons out of the closets. How can we trust this platform to get bigger and get more connected under the hood if they can’t do the basis blocking and tackling right? Facebook needs a security strategy for the 21st century not the 20th century. ”
Emmanuel Schalit, CEO, Dashlane said in an emailed statement: “You may not be able to control the security architecture of the digital services you use every day and that hold so much of your data, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the “containment” doctrine. One example is using a password manager with a Password Changer capability, this can be easily done, and used to instantly generate and change your passwords with a single click – ensuring proper and regular cyber hygiene.”