Pedro Canahuati, Facebook’s Vice President of Engineering, Security, and Privacy, admitted in a blog post on March 21st that the social media company has been storing “hundreds of millions” of users’ passwords in plaintext for years.
“Storing passwords in readable plaintext is an insecure way of storing passwords. Companies, like Facebook, hash and salt passwords — two ways of further scrambling passwords — to store passwords securely,” writes Tech Crunch. “That allows companies to verify a user’s password without knowing what it is.”
Canahuati released this information in response to a report made by cyber-security reporter Brian Krebs, who published an article detailing the oversight two days prior.
“My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords,” wrote Krebs. The bug dated all the way back to 2012 and could have potentially affected 600 million users, which amounts to about one-fifth of the company’s 2.7 billion users, though that figure has not been confirmed by Facebook.
Though this revelation is only becoming public knowledge as spring emerges, Facebook discovered the error months earlier in January. It is still unknown as to if they informed state or international regulators through a U.S. breach notification or European data protection laws, though the Irish data protection office, which covers Facebook’s European operations, claimed to have been informed.
Canahuati assures that no passwords were ever visible to anyone outside of Facebook and the company has “found no evidence to date that anyone internally abused or improperly accessed them.” Still, they will be notifying Facebook, Facebook Lite, and Instagram users of the issue.
Twitter and GitHub both experienced like scandals last year when they discovered that their passwords were stored in plaintext and not scrambled due to similar but independent bugs.