Facebook found to store millions of passwords in plain text

News by Robert Abel

Facebook is once again making headlines after the company discovered it had been storing hundreds of millions of users passwords in plain text for years.

Facebook is once again making headlines after the company discovered it had been storing hundreds of millions of users passwords in plain text for years.

The company says its currently investigating the situation, but said in January it discovered some users' passwords had been stored in a readable format within its internal data storage systems, according to a 21 March blog post.

"This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable," wrote Facebook Vice President of Engineering, Security and Privacy Pedro Canahuati. "We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."

Canahuati explained that the passwords were never visible to anyone outside the company and that there is no evidence that they were internally abused or improperly accessed at the moment. Those who were affected will be notified.

In an email to SC Media UK, Paul Biscoff, privacy advocate at Comparitech, commented: "Storing passwords in plaintext seems like a rookie mistake for one of the largest internet companies in the world. Hashing and salting passwords so they are not readable and cannot be turned back into a readable format has been standard practice for many years.

"Although Facebook says there were no signs of abuse, it seems unlikely that none of the alleged 20,000 employees with access to those passwords even once poked around where they shouldn't have. Facebook says it won't require password resets until it does find signs of abuse, but I would recommend changing your account password, anyway. Be sure to use a password that's at least 12 characters, uses a combination of numbers, symbols, and upper- and lower-case letters, and is unique to your Facebook account."

Sam Curry, chief security officer at Cybereason, emailed SC Media UK to make clear the strength of his criticism, saying: "Passwords in a flat file for anyone to read?! Are you kidding me? Give me a break! Everyone, including Facebook, have tech debt and security debt that piles up. But that's not an excuse any longer.

"Facebook is starting to look like critical social infrastructure, where their responsibility is to the public. It's past time to go back and clean the skeletons out of the closets. How can we trust this platform to get bigger and get more connected under the hood if they can't do the basics of blocking and tackling right? Facebook needs a security strategy for the 21st century not the 20th century. "

"Unfortunately, such undocumented ‘features, are quite widespread in large technology companies," said High-Tech Bridge CEO Ilia Kolochenko. "Frequently, there is no malicious intent or negligence, but rather an internal "hack" to better resolve some issues or conduct testing."

Kolochenko said that "shadow data and its usage are virtually uncontrollable, and even now it would be premature to conclude that the [Facebook] issue is fully remediated – numerous backups, including custom backups made by employees, may still exist in different and unknown locations."

Tim Buntel, VP of Application Security Products, Threat Stack, said the revelation that Facebook stored millions of plain-text passwords on an unencrypted internal server is indicative of some of the challenges commonly found in large organisations where simple security tasks can be overlooked or ignored.

"It’s important to consider where data will be stored, how it will be secured, and if that protection is risk appropriate at all stages of the development and operations lifecycle," Buntel said. "The lesson here is to prioritise security observability, so organisations can easily identify vulnerabilities and misconfigurations like this."

Thycotic Chief Information Security Officer Terence Jackson questioned was the flaw an acceptable risk. "Assuming they are following a SSDLC, this should have definitely been a core protection built into the system," Jackson said. "Because there is no evidence that anyone external to Facebook had access to the un-encrypted passwords is not reassuring."

Jackson added that as a Facebook user, he questions why would an internal employee need access to his un-encrypted password and said that ultimately it’s still up to the consumer to govern data shared with services like these. This won’t be the last of Facebook’s issues, he added.

The social media giant has been under fire by politicians and privacy advocates alike. Most recently US Senator Elizabeth Warren called for the break up of big tech companies including Facebook to promote privacy and competition

The criticism against Facebook in particular alleges the company has purchased all of its competitors such as Instagram and WhatsApp, severely limiting competition in its space. The company is also reportedly under a criminal probe for data sharing practices with "partners" including more than 150 companies.

A number of scandals have been reported in just the short period after Facebook CEO Mark Zuckerberg made a commitment to pivot his platform toward privacy over the next few years.

But users likely will have to bear some of the onus for countering privacy violations and breaches. Noting that issues like the latest Facebook privacy flub "are very time-consuming to discover even with an external audit," Kolochenko said, "when dealing with large technology companies be well prepared to understand that they know everything about you and [internally] may handle this data differently from what their policy or terms of services say."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews