International World Facebook blunder: employees had access to hundreds of millions of private passwords

Facebook blunder: employees had access to hundreds of millions of private passwords

Author

Date

Category

- Advertisement -

Facebook Newsroom – On March 21 (Thursday), Facebook released a statement entitled “Keeping Passwords Secure” on its newsroom indicating how user passwords were being stored “in a readable format” within their data storage systems. This means that Facebook staff had access to user passwords.

The breach of confidentiality was discovered during the organisation’s routine security review for January.

The release noted how the revelation caught their attention because Facebook’s login systems were designed to “mask passwords using techniques that make them unreadable.”

Those affected are hundreds of millions of users of Facebook Lite, a version of Facebook for those regions with lower connectivity, tens of millions of regular Facebook users, and tens of thousands of Instagram users.

- Advertisement -

To date, Facebook has only given this estimate, yet they assured the public that the issues had been fixed and as a precaution, would notify everyone affected and had their passwords revealed.

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” said Facebook.

According to a report by Krebs on Security, employees built applications that took the encrypted login passwords of Facebook users and stored it in plain text on internal company servers. A senior Facebook employee, who is familiar with the investigation and wishes to remain anonymous for safety reasons, shared this insider practice within the organisation.

The Facebook source had a more definite number of affected users, who said that it was between 200 and 600 million Facebook users who may have their account passwords accessible to more than 20,000 Facebook employees.

The inquiry has also shown that there were versions of plain text user passwords that date back to 2012.

Meanwhile, in the update provided by Facebook, they explained how user passwords are protected, reiterating how they “mask” the private information upon account creation so that no one within the company could see them.

“In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text,” Facebook explained.

The statement, provided by VP Engineering, Security and Privacy, Pedro Canahuati, also mentioned Facebook’s security measures built to protect people’s accounts such as signals that indicate suspicious activity, alerts for unrecognised login, and the like.

Read the full update below:

Keeping Passwords Secure

Facebook reassured the public that none of the passwords were exposed externally nor was there any evidence of abuse internally, although it gave some tips on how to ensure account security such as changing your password and enabling the two-factor authentication.

Passwords are confidential information and keeping them in encrypted form is essential in cybersecurity. CEO of Threatcare, an Austin cybersecurity company, Marcus Carey, said that “encrypting passwords is Security 101.”

“If they can’t get the basic principles of cybersecurity right, they are surely failing on the tougher challenges,” he added.

Facebook has been facing numerous incidents compromising cybersecurity since the Cambridge Analytica data scandal back in March 2018. It was only about a week ago when it failed to block 300,000 uploads of the live stream footage of the New Zealand mosque massacre.

Before that, on December last year, Facebook discovered a bug within the platform that granted permission to third-party apps to access user’s photos, even those that were not fully uploaded in Facebook and saved as drafts.

Send in your scoop to news@theindependent.sg 

- Advertisement -

Man attacks teen, calls him a virus, damages his phone

Singapore—A sudden attack took a teen by surprise when one man started yelling at him, physically harming him, and throwing his phone into a nearby drain at around 10.30pm on Tuesday (Feb 23) on a section of the road near the...

3 migrant workers die after 10 injured in Tuas industrial building blast

Singapore – Three of the 10 workers injured in an explosion at an industrial building in Tuas on Wednesday (Feb 24) died on Thursday. The Singapore Civil Defence Force (SCDF) responded to a fire at No. 32E Tuas Avenue 11 at around...

Film producer says Myanmar maid called her family, wanting to go home, two weeks before she died

A video producer who visited the family of Piang Ngaih Don, the Myanmar maid beaten and starved to death by her employers in 2016, says Ms Piang somehow managed to call her family just two weeks before she died. She told...

Send in your scoop to news@theindependent.sg 

Theindependent