Facebook Stored Millions Of Passwords Unprotected

Facebook has admitted to a worrying data mistake after “hundreds of millions” of passwords were stored in plaintext, unprotected by any form of encryption whatsoever.

But the social networking giant said the unprotected passwords were stored on Facebook’s internal servers that could only be accessed by 20,000 staff members.

That admission however cut little ice with security experts who lamented that the firm had stored the passwords unprotected as far back as 2012.

Unprotected passwords

The discovery that Facebook had failed to apply basic data protection measures to the passwords was made by security researcher Brian Krebs, who cited a senior Facebook insider as his source.

“Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees – in some cases going back to 2012, KrebsOnSecurity has learned,” the report said. “Facebook says an ongoing investigation has so far found no indication that employees have abused access to this date.”

Facebook then later admitted that it had discovered the flaw as part of a routine security review in January this year.

The majority of the affected passwords are said to be users of Facebook Lite, which is a cut down version of the social media app for regions with poor or slow connectivity.

“These passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Facebook was quoted by Reuters as saying.

The social network also admitted it was investigating the causes of a series of security failures, in which employees built applications that logged unencrypted password data for Facebook users.

“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company reportedly said.

Expert reaction

But security experts were not impressed at Facebook’s failure to ensure the passwords were at the very least encrypted.

“Passwords in a flat file for anyone to read?! Are you kidding me? Give me a break!” said Sam Curry, chief security officer at Cybereason. “Everyone, including Facebook, have tech debt and security debt that piles up. But that’s not an excuse any longer.”

“Facebook is starting to look like critical social infrastructure, where there responsibility is to the public,” said Curry. “It’s past time to go back and clean the skeletons out of the closets. How can we trust this platform to get bigger and get more connected under the hood if they can’t do the basis blocking and tackling right? Facebook needs a security strategy for the 21st century not the 20th century.”

Another expert said that unfortunately, these types of undiscovered problems are widespread within large tech firms.

“Unfortunately, such undocumented ‘features’ are quite widespread in large technology companies,” lamented High-Tech Bridge’s CEO Ilia Kolochenko. “Frequently, there is no malicious intent or negligence, but rather an internal ‘hack’ to better resolve some issues or conduct testing.”

“The problem is that such shadow data and its usage are virtually uncontrollable, and even now it would be premature to conclude that the [Facebook] issue is fully remediated – numerous backups, including custom backups made by employees, may still exist in different and unknown locations,” Kolochenko warned.

“Such issues are very time-consuming to discover even with an external audit,” said Kolochenko. “Therefore, when dealing with large technology companies be well prepared to understand that they know everything about you and [internally] may handle this data differently from what their policy or terms of services say.”

And one expert said that the consumer reliance on passwords to protect them is just not a sustainable model going forward.

“The discovery is just another indication that our continued reliance on passwords is not sustainable and fails consumers,” said Stephen Cox, chief security architect at SecureAuth.

“Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape,” said Cox. “Not only are many organisations using poor hygiene when storing passwords, a large portion of these passwords are already widely available on the dark web due to previous massive breaches. The reality is that people reuse passwords across multiple websites and password leaks can have far reaching consequences.”

“With the trend of password leakage and the resulting credential misuse on the rise, organisations must evolve and adopt modern approaches to identity security, one that improves security posture but takes care to keep the user experience simple,” Cox added.

“We need to move beyond the password, and basic two-factor authentication methods, to modern adaptive risk-based approaches that leverage real-time metadata and threat detection techniques to improve end-user trust,” Cox concluded. “The goal should be rendering stolen credentials useless to an attacker.”

Do you know all about security? Try our quiz!