Facebook yesterday admitted to having stored the passwords of hundreds of millions of its active users in plain text, including the passwords of Facebook, Facebook Lite, and Instagram users.
The company says it discovered the misfortune as part of a regular security analysis last month, but that the passwords were cached in a readable format inside its internal data storage systems, and that only facebook’s employees had access to the information.
The problem has been addressed, and all of the users who were affected will be notified, Facebook announced.
“To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,”
FB company says.
The number of affected users, though, is enormous. The social media platform determines that hundreds of millions of Facebook Lite users, tens of millions of other users on Facebook, and tens of thousands of Instagram users are affected.
“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,”
the company says.
According to Brian Krebs, Facebook is currently reviewing a series of conflicts about employees who
“built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.”
Krebs also states that the passwords of between 250 million and 600 million users on Facebook may have been cached in plain text and that over 20,000 Facebook employees may have been able to search those users’ passwords.
Some of these passwords might have been saved in plain text for seven years, Krebs says.
Facebook, which has been subjected to extensive criticism last year, after it was exposed that it shared users’ data with other organizations without notifying the affected user, says it saves users’ passwords in line with security best practices, masking them so that “no one at the company can see them.”
“With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text,”
the company declares.
Last year, Zuckerberg admitted that political consulting company Cambridge Analytica collected the data of up to 87 million people worldwide via an academic researcher’s personality prediction app.