Facebook stored passwords in plain text for hundreds of millions of users

Sheri Evans
March 22, 2019

Researcher Brian Krebs of KrebsonSecurity broke the news about the security failure, saying that 600 million passwords were stored in plain text.

"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them", he said.

During its review, Canahuati said that Facebook also looked at its other security practices, including its use of so-called "access tokens", which is how third-party apps identify a Facebook a user and can access one's profile information.

Users' passwords are typically stored in a way that masks the text and makes them unreadable even to employees.

And its investigation showed that most of the people affected were users of Facebook Lite, which tends to be used in nations where net connections are sparse and slow.

Facebook said that hundreds of millions of users of Facebook Lite had been impacted, while tens of millions of regular Facebook users were impacted.

Dallas Cowboys: WR Randall Cobb joins Cowboys on 1-year deal
The tight end rotation the Cowboys started the season with were Geoff Swaim , Blake Jarwin , Dalton Schultz , and Rico Gathers . With an entire year of experience, he is set to be even better in the upcoming season as the Cowboys number two option.

Valtteri Bottas declares Australian GP win as his best ever race
He is very talented. "I was told also on the radio that he's complaining about his tyres, but he made it quite safely to the end".

Cuphead officially coming to Switch on April 18th
Cuphead is a beloved indie game popular on Steam whose unilateral acceptance amongst PC Gamers seemed satiable enough. The game will be available on the Nintendo Switch on April 18, but the Xbox Live features will be made later on.

Despite such reassurances, privacy experts were quick to express concern: "Security rule 101 dictates that under no circumstances passwords should be stored in plain text, and at all times must be encrypted", said cybersecurity expert Andrei Barysevich of Recorded Future.

Since then, an unnamed source within Facebook told Krebs, some 2,000 Facebook staffers made "approximately nine million internal queries" for data that would have contained the user passwords.

Facebook has since fixed the issue and as a precaution, will be notifying impacted users. CNN Business has asked Facebook why users of Facebook Lite were so highly impacted.

'In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this. The precise number of affected users hasn't been determined, but this is estimated to affect between 200 and 600 million accounts going back to at least 2012, according to the company's archives.

The basic security shortcoming was revealed on the heels of a series of controversies centered on whether Facebook properly safeguards the privacy and data of its users.

When reached for comment, Facebook spokesperson referred to the blog post.

Other reports by

Discuss This Article