Here’s more proof that the word “security” does not mean what Facebook thinks it means, as the social network today announced that a routine security review revealed that it had stored “some user passwords” in plain text format within its internal data storage systems. Oh, and that information was accessible by thousands of employees.
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
Also apparently “some user passwords” also does not mean what the social network thinks it means, as a company insider told KrebsOnSecurity that between 200 and 600 million users may have had their account passwords stored in plain text in a database that was accessible to 20,000 employees. For good measure, Instagram passwords were also included, along with some from users of Facebook Lite.
While the company says there’s “no evidence to date” that the passwords have been abused or improperly accessed, KrebsOnSecurity’s source says different.
My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
The social network says it will notify users whose passwords were improperly stored, and that it’s been looking at the ways certain categories of information – such as access tokens – are stored, and correcting problems as they find them.
Facebook and Instagram users are strongly advised to change their passwords. Use unique passwords that are different from those used on other websites. And, turn on two-factor authentication for good measure. But, you probably remember all of this from the last Facebook fiasco.