Facebook admits millions of Instagram accounts affected by unencrypted password storage bl...
Facebook has admitted its major security breach from March where the social network stored "hundreds of millions" of plain-text passwords on internal servers was worse than first thought for users of Instagram, advising it may have affected millions of accounts on the image-sharing service and not the "tens of thousands" it initially reported.
The revelation in March involved the storage of details for between 200 million and 600 million accounts on internal servers in an unprotected, unencrypted fashion. Leaked by an anonymous senior Facebook employee, it was found the practice dated as far back as 2012, and that some 2,000 engineers made approximately 9 million queries on that data, which included passwords.
Facebook's own post about the discovery, which was in fact found in January but reported in March, has been corrected with new information about the size of the breach. The post originally estimates "hundreds of millions" of Facebook Lite users, as well as tens of millions of other Facebook users, were affected along with "tens of thousands of Instagram users."
Updated on Thursday, the post advises "additional logs of Instagram passwords being stored in a readable format" were discovered in the investigation, and that Facebook now estimates the issue "impacted millions of Instagram users." Facebook claims it will begin notifying affected users in a similar way to others.
"Our investigation has determined that these stored passwords were not internally abused or improperly accessed," the update concludes.
At the time, it was claimed Facebook had not seen any cases of employees looking intentionally for passwords, or that the data was misused. By way of explaining the existence of the insecure data trove, it was claimed the details were inadvertently logged, but that there "was no actual risk" from its creation.
Facebook has notified affected users of all of the services to prompt the creation of a new and securely stored password.
The increase in accounts affected is the latest privacy issue Facebook has faced in recent months. On Wednesday, it was found Facebook had "unintentionally uploaded" the email contacts for some 1.5 million users without their consent.
It has also been accused of sloppy security practices, questionable data sharing, leveraged user data in dealings with partners, and most famously being in the center of the Cambridge Analytica scandal and facing a record billion-dollar FTC fine.
The revelation in March involved the storage of details for between 200 million and 600 million accounts on internal servers in an unprotected, unencrypted fashion. Leaked by an anonymous senior Facebook employee, it was found the practice dated as far back as 2012, and that some 2,000 engineers made approximately 9 million queries on that data, which included passwords.
Facebook's own post about the discovery, which was in fact found in January but reported in March, has been corrected with new information about the size of the breach. The post originally estimates "hundreds of millions" of Facebook Lite users, as well as tens of millions of other Facebook users, were affected along with "tens of thousands of Instagram users."
Updated on Thursday, the post advises "additional logs of Instagram passwords being stored in a readable format" were discovered in the investigation, and that Facebook now estimates the issue "impacted millions of Instagram users." Facebook claims it will begin notifying affected users in a similar way to others.
"Our investigation has determined that these stored passwords were not internally abused or improperly accessed," the update concludes.
At the time, it was claimed Facebook had not seen any cases of employees looking intentionally for passwords, or that the data was misused. By way of explaining the existence of the insecure data trove, it was claimed the details were inadvertently logged, but that there "was no actual risk" from its creation.
Facebook has notified affected users of all of the services to prompt the creation of a new and securely stored password.
The increase in accounts affected is the latest privacy issue Facebook has faced in recent months. On Wednesday, it was found Facebook had "unintentionally uploaded" the email contacts for some 1.5 million users without their consent.
It has also been accused of sloppy security practices, questionable data sharing, leveraged user data in dealings with partners, and most famously being in the center of the Cambridge Analytica scandal and facing a record billion-dollar FTC fine.
Comments
Are we in season 1 or 2 of this comedy/horror show call Facebook(Instagram) Directed by mark Zuckerberg ? Are we really not going to hold this company up to any type of wrongdoing?
scum bags.
Oh wait... nevermind.
Seriously... while Zuckerberg has a bunch of monkeys running loose in the security department, I couldn't care less about FB and Instagram data because there's just nothing there. Anyone posting anything to either platform is in most ways publicly accessible anyways.
https://daringfireball.net/linked/2019/04/18/facebook-instagram-shocker
Yeah, I likewise haven't deleted it yet. I don't do anything important there anymore, and won't participate in many groups there. I don't post much there anymore and take any discussions off-line. I use it more as a place to potentially get stuff seen, though the impact w/o pay-to-play is pretty bad anymore. I really should just delete it, but I also don't want to limit channels to get my messages out.
I doubt most people are just going to delete/wipe it, but I sure hope people start smartening up about what they post and do there. There are still 'experts' recommending Facebook as the best place to host private groups for discussion of sensitive topics... yikes! And, a lot of people I know still dump their entire lives up there, or have discussions (again, which they assume are semi-private) about things they wouldn't necessarily want made public. In light of all this, that's just insane behavior.
Oh, heck yeah! You should do this for EVERYTHING, not just Facebook! (ie: a strong, unique password for every account of any kind)
I told someone about this news, and they said... 'Oh, I'll change my Instagram password.' And, I was like, "No, I don't think you're understanding. You need to remember if you used your old password anywhere else, and then change those places! And sure, it ALSO wouldn't hurt to change your FB and Instagram passwords."
This happens with all kinds of stuff, including when Congress pushes through really controversial bills. Most people don't even hear about it, because EVEN IF the MSM were paying any attention (which they probably weren't anyway), the big news story will drown out even any other outlets reporting on it.