A report has said that millions of Facebook passwords were internally exposed, and the firm on March 21 said the problem has been fixed.
A source at Facebook told him that during an investigation, “between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.”
“Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012,” he wrote, citing the source.
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source told him.
He added: “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
Facebook software engineer Scott Renfro went on record with Krebs, saying that the firm doesn’t have the exact numbers, including the number of employees who could have accessed the passwords.
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro told Krebs. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
Facebook said the issue was discovered in January as part of a routine security review.
“In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as 379f1531753a7c43ab4f4faace212451, anyone looking at the stored data will see the actual password, right there, just like that,” it says. “Plaintext passwords used to be the rule, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years,” the website adds.
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” a Facebook official said.
The outlet also recommended that users should change their password.
Friends Read Free