Facebook admits storing 'hundreds of millions' of passwords in plain text

Facebook admits storing 'hundreds of millions' of passwords in plain text

The company reported yesterday that it stored millions of user passwords in plain text, without any hashing/encryption.

Facebook Software Engineer Scott Renfro told Krebs that the company hasn't found any cases where someone was intentionally looking for passwords or misusing the data. Canahuati said that Facebook's server-side applications are only supposed to store a "hashed" mathematical representation of users' passwords and not the passwords themselves.

"This caught our attention because our login systems are created to mask passwords using techniques that make them unreadable", said Pedro Canahuati, the company's vice president of Engineering, Security and Privacy, in a blog post.

Facebook revealed on Thursday it didn't properly mask the passwords of hundreds of millions of its users and stored them in an internal database that could be accessed by its staff.

In light of this, Facebook also just recently released a statement about Keeping Passwords Secure so you can have a read here.

Facebook Lite is a version designed for people with older phones or low-speed internet connections.




But it sparks a question on why Facebook chose to sit on this news for three months and felt it was necessary to inform users only after the report surfaced. Facebook's deal with tech firms to share user data without explicit consent is also under criminal investigation, according to the New York Times.

Account passwords for hundreds of millions of Facebook users have been housed in plain text and searchable by thousands of Facebook employees since 2012. Worse yet, they were technically accessible by more than 20,000 Facebook employees with some archives dating back to 2012. During a routine review, it says, it found that the plain text passwords were unintentionally captured and stored in its internal storage systems.

Facebook announced its findings in a security blog post today.

On top of that, it is recommended that you use a unique password for different logins and this is where a password manager would come in handy. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you.

Canahuati did not say how many of Facebook's more than 25,000 employees had access to users' passwords, and thus, their posted private or personal information stored on its platform.

Related Articles