Facebook Leaves Millions Of Passwords Unencrypted
Surprise, surprise, Facebook are at the centre of yet another security fiasco. Someone needs to give their security team a poke and tell them to start following best practices! Is poking even still a thing on Facebook?
I just Googled it and it’s still a thing, but it was made a little less obvious nearly 8 years ago now. However redundant poking is, it seems Facebook aren’t doing too good at hiding their peeking. Back in January they were caught snooping on users’ private conversations on messenger… again. Of course it goes without mentioning the debacle with Cambridge Analytica too.
Even more recently, however, it seems their security hasn’t improved all too much, with the report that they had mistakenly stored hundreds of millions of users’ passwords in plaintext. In other words, it wasn’t encrypted.
To make it even worse, this wasn’t just on Facebook, but also on Instagram. Obviously this list isn’t available anywhere publicly, but there are several internal engineers at Facebook that would have had access to this database through the servers. Now when I say several, at a company as big as Facebook, this translates to over 2000 individuals.
The error was discovered in January during routine security checks and they then performed an internal investigation to find out if any employees abused their access to this data. They found no evidence to suggest that this was the case, but of course there is no way to know for sure that your password hasn’t been compromised. There is no way for them to reliably know if any of the thousands that had access could have taken down copies of any of those account details over the years they were available!
In a statement from Facebook’s Vice President of Engineering, Pedro Canahuati, he said, “To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them.”
Exact numbers have not been confirmed, nor how to know if you have been affected, but as always in cases like this, it’s probably best to change your password again. Better to be safe than sorry!
By the time I posted this, Facebook have already had another hiccup, although more minor. Have a read here about Facebook asking users for their email passwords.