Facebook has more than a billion users across the globe and as you can imagine, ensuring the security of users’ personal information should be of paramount importance to a platform of its size. So you may not be thrilled to hear that the company stored hundreds of millions of user passwords in plain text for years. They were searchable by thousands of Facebook employees, going as far back as 2012, according to KrebsOnSecurity. Facebook says an investigation is ongoing and so far it hasn’t seen any indications of employees abusing access to the data.
So how did this happen? The report mentions that a string of security failures took place in which employees develops applications which logged unencrypted password data for users and stored that in plain text files on internal servers. It quotes a senior Facebook employee who is familiar with the ongoing investigation.
The source added that the investigation indicates that between 200 million and 600 million users may have had their passwords stored in plain text. They were searchable by more than 20,000 Facebook employees. Facebook is reportedly still trying to figure out how many passwords were exposed and for how long. Access logs show that around 2,000 engineers or developers made nearly nine million internal queries for data elements which contained plain text user passwords.
Scott Renfro, a Facebook software engineer, told the scribe that the company isn’t ready to give specific numbers about the number of users affected and the employees who could have accessed the data. Facebook does plan on alerting affected users but added that no password reset would be required.
“In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this,” Renfro said. That doesn’t negate the point that many of the affected users will nevertheless not be thrilled that their passwords were so blatantly left unsecured.