Facebook users' passwords stored in plaintext by accident since 2012

by Julie Splinters - -

Hundreds of millions of Facebook users' passwords stored in plaintext since 2012 by accident

Facebook users' passwords stored in plaintext by accident

According to the most recent news, Facebook has accidentally been storing hundreds of millions of users' passwords in plaintext since the year of 2012.[1] This security flaw has been discovered by experts in January 2018. Additionally, such incident touched not only Facebook and Facebook Lite users but also people who were using another popular network – Instagram as it is connected with the well-known Facebook also.[2]

The company itself did not reveal which particular technical details caused such exposure of passwords to plaintext, however, the firm explained that all users passwords casually are kept in a way that even the company authorities and tech experts cannot view them:[3]

In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them. In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.

The company claims that the passwords were viewable to the Facebook staff only

The Facebook organization also notifies all users that the passwords were not misused by any potential criminals and seen by other people outside Facebook itself. The stored passwords were viewable for the Facebook staff which contains more than 20,000 employees but, according to the company, did not reach the Internet sphere.

However, talking about the number of people who were affected by the incident, no accurate one was provided but experts believe that hundreds of millions or at least tens of millions Facebook users got their passwords exposed in plaintext. Some specialists believe that there were between 200 to 600 million affected people.

The company claimed that it will inform all users that were affected by this security flaw and says that it has been fixed. Additionally, users who have weak passwords are encouraged to change them to stronger ones which contain various symbols and all users should enable the two-factor authentication which hardens the login process for potential intruders.[4]

Facebook's name has been known in other data exposures and illegitimate misuses

Sadly, this is not the first time when Facebook accidentally exposes personal and secret information of its users. Gladly, this time there were no victims. However, the exposures did not appear to end such successfully in the past. A security-related data breach allowed various cybercrooks to access personal data of around 29 million Facebook users in October 2018.

Additionally, various cybercriminals often hide behind Facebook's name and perform their malicious activities. For example, about a month ago, crooks misused the “Login with Facebook” feature to trick users.[5] Note that you need to be very careful while browsing the web and investigating different types of pop-up windows which might look legitimate from the first view but truly are not. 

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References