Facebook Stored Passwords in Plaintext for Years

Facebook Stored Passwords in Plaintext for Years

The social media giant, Facebook, stated in a blog post Thursday notifying users that they kept passwords stored in plaintext since 2012. The 600 million passwords have been available to Facebook employees.

Affected accounts include millions of Facebook Lite, Facebook, and Instagram users. The version of Facebook, Facebook Lite, is used in regions with low speed connections. Further, Facebook insiders told Kerbsonsecurity, that about 20,000 Facebook employees had access to the passwords.

Facebook made the discovery this January during a routine security review. They found that some user passwords stored in their internal data storage systems were kept plaintext. This means that passwords were clearly visible and readable. Scott Renfro, a Facebook software engineer, told Krebsonsecurity that the discovery was made when engineers were reviewing new code. They noticed that passwords were being logged in plain text.

The Vice President of Engineering, Security and Privacy, Pedro Canahuati in the blog post stated:

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”

Insiders also said that after examining access logs they found that 2,000 engineers made nine million internal queries for data containing plaintext user passwords. Additionally they examined all storage, like access tokens. They fixed all issues they came across during that time.

Further, no evidence was found that the passwords were misused. Therefore, according Canahuti, Facebook will not require any password resets.

Further saying:

“In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

Although, Facebook is not forcing any hard resets, they do recommend that user’s change their passwords. Additionally, users should not reuse passwords across various services. They also recommend enabling two-factor authentication.

This is the latest of Facebook’s privacy and security problems coming to light. Just a short time after Mark Zuckerberg promised to focus on privacy in the next few years, a number of scandals have come out of the company.


For security advisory solutions contact LIFARS today.