Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees – in some cases dating back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing survey has so far not found any indication that employees have abused access to this data.
Facebook examines a number of security errors where employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal corporate servers. It is according to an older Facebook employee who is familiar with the survey and who spoke on condition of anonymity because they were not authorized to speak to the press.
The Facebook source said that the survey so far indicates between 200 million and 600 million Facebook users may have had account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said that Facebook is still trying to determine how many passwords were postponed and how long, but so far, the inquiry has revealed archives with simple text user passwords in those returning to 201
My Facebook inside said that access logs showed some 2000 engineers or developers made approximately nine million internal queries for data items that contained common text user passwords.
"The further we go into this analysis, the more the legitimate people [at Facebook] who go with the lower limits" of affected users, said the source. "Currently, they are working on an attempt to reduce this number yet more by just counting things we currently have in our data warehouse. "
In an interview with KrebsOnSecurity, Facebook Software Engineer said Scott Renfro The company was not ready to talk about specific numbers – such as the number Facebook employees who could access the data.
Renfro said the company had planned to notify affected Facebook users, but that it was not necessary to reset the password.  "We have not found any cases so far in our surveys where someone tried to look for passwords, and we have not found any signs of abuse of these data, says Renfro. "In this situation, we have accidentally found these passwords, but there was no actual risk coming from this. We want to make sure we reserve these steps and only force a password change in cases where it has certainly been a sign of abuse. "
A written statement from Facebook given to KrebsOnSecurity, says the company expects to notify" hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users. "Facebook Lite is a version by Facebook designed for low-speed connections and low-specific phones.
Both Github and Twitter were forced to admit similar stumbling in recent months, but in both cases, the simple text user passwords were available to a relatively small number of people within these organizations and for much shorter periods.
Renfro said that the problem first came to light in January 2019 when security engineers who underwent some new code, labeled the passwords were inadvertently logged into plain text.
"This led the team to set up a small workforce to make s. We did a broad review of where this could happen," said Renfro. "We have a number of controls in place to try to reduce these issues and we are in the process of investigating long-term infrastructure changes to prevent this from moving forward. We are now considering some logs we must see if there has been abuse or other access to this data. "
Facebook's password clothes come in the middle of a tough month for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation of data transactions Facebook joined some of the world's largest
Earlier in March, Facebook was exposed to security and privacy experts for the use of telephone numbers listed for security reasons – such as two-factor authentication – for other things (such as marketing, advertising, and searchable search for their phone numbers on across the social network's different platforms.]
Update at 11:43: Facebook has posted a statement about this event here
Tags: Facebook, plaintext password, Scott Renfro
You can jump to the end and leave a comment. Pinging is currently not allowed.