Facebook stored millions of passwords in plain text

Facebook stored between 200 million and 600 million passwords in plain text, though it says there is no evidence of a breach or abuse by its staff.

Facebook stored millions of passwords in plain text

Facebook once again broke our trust by storing millions of people's passwords in plain text within the company, which they discovered in January 2019 already but only revealed to us now.

We know already not to give Facebook all our info - it's why I barely use it these days. Same goes for Instagram and everything else connected to Facebook. (Yes I post pics of my dogs on Instagram but not much else :P)

From Krebsonsecurity:

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

Facebook released a statement:

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.

In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them. There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.

So in light of this, even if you do not get the email from Facebook, I would suggest changing your passwords for Facebook and all their related companies, as well as anywhere you have reused those passwords.