Facebook Newsroom – On March 21 (Thursday), Facebook released a statement entitled “Keeping Passwords Secure” on its newsroom indicating how user passwords were being stored “in a readable format” within their data storage systems. This means that Facebook staff had access to user passwords.
The breach of confidentiality was discovered during the organisation’s routine security review for January.
The release noted how the revelation caught their attention because Facebook’s login systems were designed to “mask passwords using techniques that make them unreadable.”
Those affected are hundreds of millions of users of Facebook Lite, a version of Facebook for those regions with lower connectivity, tens of millions of regular Facebook users, and tens of thousands of Instagram users.
To date, Facebook has only given this estimate, yet they assured the public that the issues had been fixed and as a precaution, would notify everyone affected and had their passwords revealed.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” said Facebook.
According to a report by Krebs on Security, employees built applications that took the encrypted login passwords of Facebook users and stored it in plain text on internal company servers. A senior Facebook employee, who is familiar with the investigation and wishes to remain anonymous for safety reasons, shared this insider practice within the organisation.
The Facebook source had a more definite number of affected users, who said that it was between 200 and 600 million Facebook users who may have their account passwords accessible to more than 20,000 Facebook employees.
The inquiry has also shown that there were versions of plain text user passwords that date back to 2012.
Meanwhile, in the update provided by Facebook, they explained how user passwords are protected, reiterating how they “mask” the private information upon account creation so that no one within the company could see them.
“In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text,” Facebook explained.
The statement, provided by VP Engineering, Security and Privacy, Pedro Canahuati, also mentioned Facebook’s security measures built to protect people’s accounts such as signals that indicate suspicious activity, alerts for unrecognised login, and the like.
Read the full update below:
Facebook reassured the public that none of the passwords were exposed externally nor was there any evidence of abuse internally, although it gave some tips on how to ensure account security such as changing your password and enabling the two-factor authentication.
Passwords are confidential information and keeping them in encrypted form is essential in cybersecurity. CEO of Threatcare, an Austin cybersecurity company, Marcus Carey, said that “encrypting passwords is Security 101.”
“If they can’t get the basic principles of cybersecurity right, they are surely failing on the tougher challenges,” he added.
Facebook has been facing numerous incidents compromising cybersecurity since the Cambridge Analytica data scandal back in March 2018. It was only about a week ago when it failed to block 300,000 uploads of the live stream footage of the New Zealand mosque massacre.
Before that, on December last year, Facebook discovered a bug within the platform that granted permission to third-party apps to access user’s photos, even those that were not fully uploaded in Facebook and saved as drafts.