As usual, the online community was struck by a new scandal related to Facebook. Past Thursday was reported by KrebsOnSecurity that the massive social media platform spent many years storing users’ password in plain text, something that for many different reasons is wrong.
The users exposed to this security briefs go up to the millions, creating a whole new scandal for Facebook, a company that is already fighting in different flanks due to recent problems with privacy.
This wasn’t only reported by KrebsOnSecurity but also confirmed by the social media company, admitting the security mistake that took place for many years.
The Troubled Numbers
According to the report, the security flaw was present, at least, since 2012 and the number of passwords stored in plain text go from 200 to 600 million. Having passwords stored in plain text means that no encryption methods were used to protect this sensitive data, not even unreliable methods.
Having passwords unencrypted and stored in a really irresponsible way allowed Facebook employees to read these passwords almost at will for years. As no encryption or masking methods were used, employees were capable to read and even use passwords of hundreds of millions of users, not only from Facebook but also Instagram, which is also property of the company after if acquisition in 2012 for $1 billion, a polemic purchase that consisted in $300 million in cash and the rest in Facebook shares.
The Facebook Statement
During the day, Pedro Canahuati, VP of Engineering, Security and Privacy at Facebook made a statement regarding the security breach and its implications for both the company and its users.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems, (…) This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way,” he said in the statement.
He also mentioned that the breach was limited to in-house employees, emphasizing that no one outside the company was capable of accessing this information. Nevertheless, the approximate number of employees who had access to the unencrypted passwords go up to 2,000.
The company announced that those who were affected by the breach are going to be notified in the short-term, advising them to change their passwords.
The Bottom Line
Beyond the obvious answer, which is Facebook as a company, who has the fault here? Security experts affirm that, in cases like this, the ones who carry with the fault are the lazy, irresponsible developers who don’t want to get their boots deep in complex security methods. Instead, they implement the bare basics and move forward, causing serious problems to the company and its users. In this particular case, not even the CISO was capable of attacking the issue on time, only acknowledging it years after.
Some argue that, fortunately, passwords were only exposed to those on the inside and the files weren’t leaked in any way possible to the open Internet. Now, the next step for Facebook is to implement the right mechanisms while informing the affected users to take the needed measures.