Facebook stored 'hundreds of millions' of unencrypted passwords on internal servers

Posted:
in General Discussion edited March 2019
Adding to multiple security controversies, Facebook is reportedly investigating problems which led to "hundreds of millions" of unencrypted, plain-text passwords being stored on internal servers.

Facebook HQ


The data accumulated as a result of apps built by Facebook staff, said Krebs on Security, citing an anonymous senior Facebook employee. As many as 200 million to 600 million accounts may have been affected, and searchable by over 20,000 employees, the person said. The exact number of accounts exposed is uncertain, although some of them may have been vulnerable as far back as 2012.

Access logs are said to show that about 2,000 engineers and other developers made some 9 million internal queries for data that contained the passwords.

"The longer we go into this analysis the more comfortable the legal people are going with the lower bounds [of affected accounts]," the source added. "Right now they're working on an effort to reduce that number even more by only counting things we have currently in our data warehouse."

A Facebook engineer willing to go on record, Scott Renfro, acknowledged the situation and said that an official announcement should be made later today, even though the company won't have specific numbers and won't force anyone to do a password reset.

"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data," Renfro claimed. "In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this. We want to make sure we're reserving those steps and only force a password change in cases where there's definitely been signs of abuse."

The company said similar things in a written statement, but added that impacted accounts include Facebook Lite and Instagram users too.

Facebook uncovered the problem in January when engineers were reviewing new code, Renfro explained. Why it wasn't immediately disclosed isn't presently clear.

"This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening," he said. "We have a bunch of controls in place to try to mitigate these problems, and we're in the process of investigating long-term infrastructure changes to prevent this going forward. We're now reviewing any logs we have to see if there has been abuse or other access to that data."

Facebook has come under intense scrutiny thanks to a variety of security and privacy scandals, two of the most recent involving data sharing deals with companies like Apple, Amazon, Microsoft, and Sony, plus people being able to look up strangers based on phone numbers submitted for two-factor authentication. By far the biggest though is Cambridge Analytica, which has attracted investigations by the U.S. and UK governments over voter data collected without most users' consent. Facebook could potentially end up paying billions in U.S. fines.
«1

Comments

  • Reply 1 of 28
    CheeseFreezeCheeseFreeze Posts: 1,247member
    This is absurd! They keep screwing it up. 
    chiatmaymagman1979n2itivguyStrangeDays
  • Reply 2 of 28
    rogifan_newrogifan_new Posts: 4,297member
    Facebook is evil.
    chiaagilealtitudetmayGG1mwhitemagman1979n2itivguymonstrositywatto_cobra
  • Reply 3 of 28
    ElCapitanElCapitan Posts: 372member
    It is time to send that company to /dev/null
    chiamacseekertmaymagman1979monstrositywatto_cobra
  • Reply 4 of 28
    croprcropr Posts: 1,122member
    If it was indeed discovered in January and it is only made public just recently, than Facebook will receive a serious fine from the EU because of the GDPR regulations.   According to the GDPR regulations, this must be reported immediately.
    pujones1watto_cobra
  • Reply 5 of 28
    Eric_WVGGEric_WVGG Posts: 966member
    Facebook is in the Yahoo bucket now — for suckers and fools. 
    agilealtitudemagman1979watto_cobra
  • Reply 6 of 28
    mwhitemwhite Posts: 287member
    On that picture instead of a thumbs up it should be a thumbs down :s
    watto_cobra
  • Reply 7 of 28

    They are idiots! Can I say that here?





    magman1979watto_cobra
  • Reply 8 of 28
    neilmneilm Posts: 985member
    They may as well change the company name to Faceplant.
    n2itivguyStrangeDayschasmwatto_cobra
  • Reply 9 of 28
    eriamjheriamjh Posts: 1,631member
    My MySpace password has never been compromised.  
    razorpitchasmwatto_cobra
  • Reply 10 of 28
    racerhomie3racerhomie3 Posts: 1,264member
    Amazing Facebook. Great security,keep it up proud of you. 
    watto_cobra
  • Reply 11 of 28
    hexclockhexclock Posts: 1,243member
    I know these headlines are meant to shock and surprise, yet I am neither shocked nor surprised. 
    DanManTXwatto_cobra
  • Reply 12 of 28
    olsols Posts: 50member
    What is Facebook’s business case again? Is it by any chance stealing people’s data and secrets?

    How long until removes them from their app store - perhaps then Facebook understands what violating user privacy means...
    watto_cobra
  • Reply 13 of 28
    Access logs are said to show that about 2,000 engineers and other developers made some 9 million internal queries for data that contained the passwords.
    All it takes is one disgruntled employee or contractor out of 2,000. What are the odds?

    And it appears that over 20,000 employees had searchable access to the data.

    Knock, knock.
    Who's there?
    Karma.

    magman1979watto_cobra
  • Reply 14 of 28
    GG1GG1 Posts: 483member
    neilm said:
    They may as well change the company name to Faceplant.
    or Facecrook
    StrangeDayswatto_cobra
  • Reply 15 of 28
    dewmedewme Posts: 5,335member
    The time for mock surprise at Facebook's total disregard security and privacy has long ... long ... long since passed. If you're still playing with Facebook after seeing only what has surfaced so far you absolutely have no ground to stand on to blame them for anything. Fool you once, sure, but fool you twenty seven times - it's all on you. Yeah, I'm sure we'll hear all the stories about people who have to use Facebook for one reason or another. Sorry, but if my employer, friend, worst enemy, bowling buddy, dog circus membership, or whatever, told me I "had" to use Facebook using my own credentials or identity I'd find an alternate employer, friend, worst enemy, dog circus membership, or bowling buddy. Forcing someone to use Facebook is like forcing them to stick their hand in an operating blender. I'd rather keep all my fingers and my hand. Facebook is totally unnecessary.  
    watto_cobra
  • Reply 16 of 28
    mac_dogmac_dog Posts: 1,069member

    They are idiots! Can I say that here?

    They’re fucking idiots!
    razorpitStrangeDayswatto_cobra
  • Reply 17 of 28
    Nobody cares. It changes nothing. Their user numbers keep growing. I don't know what it will take for people to leave. Seems no scandal will make a difference. Been FB free for 12 months and never happier. 
    mac_dogwatto_cobra
  • Reply 18 of 28
    SoliSoli Posts: 10,035member
    doctwelve said:
    Their user numbers keep growing.
    Where are you getting that info? I've only seen where 1) users have dropped, 2) younger people are not using FB in favour of other social media sites/apps, and 3) their traffic is down by half in just 2 years.
    watto_cobra
  • Reply 19 of 28
    lkrupplkrupp Posts: 10,557member
    doctwelve said:
    Nobody cares. It changes nothing. Their user numbers keep growing. I don't know what it will take for people to leave. Seems no scandal will make a difference. Been FB free for 12 months and never happier. 
    Again, that’s the difference between the so-called tech aware group and the general public who just want their friends to see the gourmet hamburger they ordered at Red Robin.
    JFC_PAwatto_cobra
  • Reply 20 of 28
    maltzmaltz Posts: 453member
    eriamjh said:
    My MySpace password has never been compromised.  

    (I know you're joking, but still.  lol)
    watto_cobra
Sign In or Register to comment.