NATIONAL NEWS

Facebook Left Millions Of Passwords Readable By Employees

Mar 21, 2019, 3:10 PM | Updated: Jun 8, 2022, 5:13 pm
In this photo illustration the Social networking site Facebook is displayed on a laptop screen. (Photo by Dan Kitwood/Getty Images)
(Photo by Dan Kitwood/Getty Images)
By storing passwords in readable plain text, Facebook violated fundamental computer-security practices. Those call for organizations and websites to save passwords in a scrambled form that makes it almost impossible to recover the original text.

“There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users’ passwords in plain text,” said cybersecurity expert Andrei Barysevich of Recorded Future.

Facebook said there is no evidence its employees abused access to this data. But thousands of employees could have searched them. The company said the passwords were stored on internal company servers, where no outsiders could access them.

The incident reveals yet another huge and basic oversight at a company that insists it is a responsible guardian for the personal data of its 2.2 billion users worldwide.

The security blog KrebsOnSecurity said Facebook may have left the passwords of some 600 million Facebook users vulnerable. In a blog post , Facebook said it will likely notify “hundreds of millions” of Facebook Lite users, millions of Facebook users and tens of thousands of Instagram users that their passwords were stored in plain text.

Facebook Lite is a version designed for people with older phones or low-speed internet connections. It is used primarily in developing countries.

Last week, Facebook CEO Mark Zuckerberg touted a new “privacy-focused vision ” for the social network that would emphasize private communication over public sharing. The company wants to encourage small groups of people to carry on encrypted conversations that neither Facebook nor any other outsider can read.

The fact that the company couldn’t manage to do something as simple as encrypting passwords, however, raises questions about its ability to manage more complex encryption issues — such in messaging — flawlessly.

Facebook said it discovered the problem in January. But security researcher Brian Krebs wrote that in some cases the passwords had been stored in plain text since 2012. Facebook Lite launched in 2015 and Facebook bought Instagram in 2012.

Recorded Future’s Barysevich said he could not recall any major company caught leaving so many passwords exposed internally. He said he’s seen a number of instances where much smaller organizations made such information readily available — not just to programmers but also to customer support teams.

Security analyst Troy Hunt, who runs the “haveibeenpwned.com” data breach website, said that the situation is embarrassing for Facebook, but that there’s no serious, practical impact unless an adversary gained access to the passwords. But Facebook has had major breaches, most recently in September when attackers accessed some 29 million accounts .

Jake Williams, president of Rendition Infosec, said storing passwords in plain text is “unfortunately more common than most of the industry talks about” and tends to happen when developers are trying to rid a system of bugs.

He said the Facebook blog post suggests storing passwords in plain text may have been “a sanctioned practice,” although he said it’s also possible a “rogue development team” was to blame.

Hunt and Krebs both likened Facebook’s failure to similar stumbles last year on a far smaller scale at Twitter and Github; the latter is a site where developers store code and track projects. In those cases, software bugs were blamed for accidentally storing plaintext passwords in internal logs.

Facebook’s normal procedure for passwords is to store them encoded, the company noted Thursday in its blog post.

That’s good to know, although Facebook engineers apparently added code that defeated the safeguard, said security researcher Rob Graham. “They have all the proper locks on the doors, but somebody left the window open,” he said.

KSL 5 TV Live

Top Stories

National News

An Iowa Alzheimer's care facility is facing a $10,000 fine after pronouncing a woman dead who was l...
Hannah Sarisohn

Residential care facility faces fine after woman pronounced dead found gasping for air in body bag

An Iowa Alzheimer's care facility is facing a $10,000 fine after pronouncing a woman dead who was later found alive when a funeral director unzipped her body bag, according to documents from the Iowa Department of Inspections and Appeals.
16 hours ago
Three bodies found on Feb. 2 in the Detroit area are believed to be those of three rappers who have...
Joe Sutton and Emma Tucker

Bodies found in apartment identified as 3 Michigan rappers missing for almost 2 weeks, police say

Three bodies found in the Detroit area this week were identified by authorities Friday as those of three rappers who were missing for almost two weeks, according to Michigan State Police.
16 hours ago
Tulare County Sheriff Mike Boudreaux speaks during a news conference Tuesday, Jan. 17, 2023, in Vis...
Associated Press

Authorities: 2 arrested in California shooting that killed 6

A California sheriff says two gang members suspected in the massacre of six people last month in central California have been arrested, one after a gunbattle.
16 hours ago
Davion Irvin was arrested late Thursday night and charged with six counts of animal cruelty-non-liv...
Chris Boyette and Vivian Kuo

Suspect arrested in case of tamarin monkeys missing from Dallas Zoo, police say

A 24-year-old man has been arrested in Dallas and charged in connection with the suspected theft of a pair of emperor tamarin monkeys that were recovered unharmed this week in an abandoned home a day after they vanished from the Dallas Zoo, police said.
16 hours ago
A suspected Chinese high altitude balloon floats over Billings, Montana, on February 1. (Larry Maye...
Oren Liebermann, Haley Britzky, Michael Conte and Nectar Gan, CNN

Pentagon tracking suspected Chinese spy balloon over the US

The U.S. is tracking a suspected Chinese high-altitude surveillance balloon over the continental United States, defense officials said on Thursday.
16 hours ago
This booking image provided by the Chicago Police Department, shows Eva Bratcher, who has been accu...
Associated Press

Daughter charged after mom’s body found in Chicago freezer

A Chicago woman is accused of keeping her mother’s dead body in a freezer for nearly two years while living in a nearby apartment.
2 days ago

Sponsored Articles

vintage photo of lighting showroom featuring chandeliers, lamps, wall lights and mirrors...
Lighting Design

History of Lighting Design | Over 25 Years of Providing Utah With the Latest Trends and Styles

Read about the history of Lighting Design, a family-owned and operated business that paved the way for the lighting industry in Utah.
Fiber Optical cables connected to an optic ports and Network cables connected to ethernet ports...
Brian Huston, CE and Anthony Perkins, BICSI

Why Every Business Needs a Structured Cabling System

A structured cabling system benefits businesses by giving you faster processing speeds and making your network more efficient and reliable.
notebook with password notes highlighted...
PC Laptops

How to Create Strong Passwords You Can Actually Remember

Learn how you can create strong passwords that are actually easy to remember! In a short time you can create new ones in seconds.
house with for rent sign posted...
Chase Harrington, president and COO of Entrata

Top 5 Reasons You May Want to Consider Apartment Life Over Owning a Home

There are many benefits of renting that can be overshadowed by the allure of buying a home. Here are five reasons why renting might be right for you.
Festive kitchen in Christmas decorations. Christmas dining room....
Lighting Design

6 Holiday Decor Trends to Try in 2022

We've rounded out the top 6 holiday decor trends for 2022 so you can be ahead of the game before you start shopping. 
Happy diverse college or university students are having fun on their graduation day...
BYU MBA at the Marriott School of Business

How to Choose What MBA Program is Right for You: Take this Quiz Before You Apply!

Wondering what MBA program is right for you? Take this quiz before you apply to see if it will help you meet your goals.
Facebook Left Millions Of Passwords Readable By Employees