Facebook stored passwords for hundreds of millions of users in plain text, exposing them for years to anyone who had internal access to the files, according to Krebs on Security. User passwords are typically protected with encryption (a process known as hashing), but a string of errors led certain Facebook-branded apps to leave passwords accessible to as many as 20,000 company employees.
Between 200 million and 600 million Facebook users are believed to have been affected, according to Krebs, which first reported the security flaw. Facebook confirmed the issue in a blog post, titled “Keeping Passwords Secure,” and it said the company identified the problem in January as part of a security review. Facebook says it has fixed the issue and will notify everyone affected.
The plain text logging goes back to at least 2012
According to Facebook, there’s no evidence that plain text passwords were exposed outside of the company or that they were abused internally. As a result, users won’t be required to reset their passwords. The issue impacted “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company says.
Although there’s no evidence of abuse, at least 2,000 Facebook employees searched through the files containing passwords, though it’s not clear what for. The password logging reportedly started as early as 2012.
This is the latest in a string of bad security issues for Facebook. In October, a hacker was able to access personal information from 29 million accounts after stealing login tokens. Before that, hacked private messages from 81,000 users were found to have been put up for sale. And none of that is including the wide-scale improper data sharing issues that kicked off with Cambridge Analytica and started putting real pressure on the company to change its practices.