Facebook admits millions of Instagram accounts affected by unencrypted password storage bl...

Posted:
in General Discussion edited April 2019
Facebook has admitted its major security breach from March where the social network stored "hundreds of millions" of plain-text passwords on internal servers was worse than first thought for users of Instagram, advising it may have affected millions of accounts on the image-sharing service and not the "tens of thousands" it initially reported.




The revelation in March involved the storage of details for between 200 million and 600 million accounts on internal servers in an unprotected, unencrypted fashion. Leaked by an anonymous senior Facebook employee, it was found the practice dated as far back as 2012, and that some 2,000 engineers made approximately 9 million queries on that data, which included passwords.

Facebook's own post about the discovery, which was in fact found in January but reported in March, has been corrected with new information about the size of the breach. The post originally estimates "hundreds of millions" of Facebook Lite users, as well as tens of millions of other Facebook users, were affected along with "tens of thousands of Instagram users."

Updated on Thursday, the post advises "additional logs of Instagram passwords being stored in a readable format" were discovered in the investigation, and that Facebook now estimates the issue "impacted millions of Instagram users." Facebook claims it will begin notifying affected users in a similar way to others.

"Our investigation has determined that these stored passwords were not internally abused or improperly accessed," the update concludes.

At the time, it was claimed Facebook had not seen any cases of employees looking intentionally for passwords, or that the data was misused. By way of explaining the existence of the insecure data trove, it was claimed the details were inadvertently logged, but that there "was no actual risk" from its creation.

Facebook has notified affected users of all of the services to prompt the creation of a new and securely stored password.

The increase in accounts affected is the latest privacy issue Facebook has faced in recent months. On Wednesday, it was found Facebook had "unintentionally uploaded" the email contacts for some 1.5 million users without their consent.

It has also been accused of sloppy security practices, questionable data sharing, leveraged user data in dealings with partners, and most famously being in the center of the Cambridge Analytica scandal and facing a record billion-dollar FTC fine.

Comments

  • Reply 1 of 15
    ElCapitanElCapitan Posts: 372member
    Why is not that company closed down already? Someone in the US government, please do the world a BIG favor!
    lostkiwiivanhdonjuansphericchasmwatto_cobra
  • Reply 2 of 15

    Are we in season 1 or 2 of this comedy/horror show call Facebook(Instagram) Directed by mark Zuckerberg ? Are we really not going to hold this company up to any type of wrongdoing?

    edited April 2019 anantksundaramsphericwatto_cobra
  • Reply 3 of 15
    boboliciousbobolicious Posts: 1,139member
    ...should Zuck be behind bars...? Is that the only thing that might smarten CEO's up (and not some resort disguised as a minimum security prison), or does that only promote the 'University of Crime' concept...?
    bigdaddyguido
  • Reply 4 of 15
    wonkothesanewonkothesane Posts: 1,717member
    I suggest it’s time to introduce a category at AI SUCH AS “weekly FB security breaches and other non compliances”. That would make way more room for “real” news.  /s
    anantksundaramwatto_cobra
  • Reply 5 of 15
    StrangeDaysStrangeDays Posts: 12,834member
    it’s their same old pattern — under report the initial numbers, then increase over time to the truth. 

    scum bags. 
    lostkiwin2itivguyanantksundaramcgWerkssphericfotoformatwatto_cobra
  • Reply 6 of 15
    SoliSoli Posts: 10,035member
    I suggest it’s time to introduce a category at AI SUCH AS “weekly FB security breaches and other non compliances”. That would make way more room for “real” news.  /s
    That category is too long. It needs to be under a category called "No Duh News," which also includes Google lying, Samsung cheating, and Huawei caught subverting laws.
    edited April 2019 lostkiwin2itivguyanantksundaramwatto_cobrajony0
  • Reply 7 of 15
    sflocalsflocal Posts: 6,092member
    ...should Zuck be behind bars...? Is that the only thing that might smarten CEO's up (and not some resort disguised as a minimum security prison), or does that only promote the 'University of Crime' concept...?
    Yeah... behind bars just like the CEO of Equifax for revealing my financial information that could actually ruin me!

    Oh wait... nevermind.

    Seriously... while Zuckerberg has a bunch of monkeys running loose in the security department, I couldn't care less about FB and Instagram data because there's just nothing there.  Anyone posting anything to either platform is in most ways publicly accessible anyways.
    edited April 2019 jcs2305anantksundaramcgWerks
  • Reply 8 of 15
    dewmedewme Posts: 5,332member
    Facebook is like a nasty rash that is impervious to any known cure. But you know what? The people who use Facebook really don't care because Facebook, aka The Rash, fills a need in their lives and they are never going to stop using it. They've learned to live with The Rash and worry about other more important things in their lives, like who's going to get bumped from Celebrity Big Brother or Dancing with the Stars. There's only so many things in life that people can afford to give a **** about, and Facebook's utter disregard for subscriber privacy and security doesn't make the cut for many millions of people. 
    lostkiwiGG1pscooter63watto_cobra
  • Reply 9 of 15
    wonkothesanewonkothesane Posts: 1,717member
    Soli said:
    I suggest it’s time to introduce a category at AI SUCH AS “weekly FB security breaches and other non compliances”. That would make way more room for “real” news.  /s
    That category is too long. It needs to be under a category called "No Duh News," which also includes Google lying, Samsung cheating, and Huawei caught subverting laws.
    I think the most disturbing part is that these kind of frauds and crimes happen on a daily basis - and except for a bunch of people on an Internet forum not really anyone seems to care :/
    lostkiwiGG1cornchipwatto_cobra
  • Reply 10 of 15
    M68000M68000 Posts: 719member
    It’s starting to sound like something from 1980’s computing.   It’s a complete embarrassment.  I would suggest anybody who uses Facebook or instagram makes 1 unique password that they use on nothing else’s in their lives.  Don’t you wish you worked there?  LOL
    watto_cobra
  • Reply 11 of 15
    mac_dogmac_dog Posts: 1,069member
    M68000 said:
    It’s starting to sound like something from 1980’s computing.   It’s a complete embarrassment.  I would suggest anybody who uses Facebook or instagram makes 1 unique password that they use on nothing else’s in their lives.  Don’t you wish you worked there?  LOL
    Had a friend who worked there. She worked with engineers and said the egos were huge and no one knew what they were doing team-wise. What was clear to her was the engineering team was the ones calling the shots. Said it was a complete cluster fuck, and would never work there again. 
    watto_cobra
  • Reply 12 of 15
    kruegdudekruegdude Posts: 340member
    sflocal said:
    ...should Zuck be behind bars...? Is that the only thing that might smarten CEO's up (and not some resort disguised as a minimum security prison), or does that only promote the 'University of Crime' concept...?
    Yeah... behind bars just like the CEO of Equifax for revealing my financial information that could actually ruin me!

    Oh wait... nevermind.

    Seriously... while Zuckerberg has a bunch of monkeys running loose in the security department, I couldn't care less about FB and Instagram data because there's just nothing there.  Anyone posting anything to either platform is in most ways publicly accessible anyways.
    Your name, address, phone number, pictures of you at a party, all this have potentially been uploaded to Facebook servers without your knowledge or permission thru other people’s posts. You might not care but how would you know if you did?
    watto_cobra
  • Reply 13 of 15
    fastasleepfastasleep Posts: 6,408member
  • Reply 14 of 15
    retrogustoretrogusto Posts: 1,109member
    Yes, excellent point about it being no coincidence that they released this information on the same day as the release of the Mueller report, to guarantee that it wouldn’t be the top news of the day. 
    n2itivguyDanManTXwatto_cobra
  • Reply 15 of 15
    cgWerkscgWerks Posts: 2,952member
    sflocal said:
    Seriously... while Zuckerberg has a bunch of monkeys running loose in the security department, I couldn't care less about FB and Instagram data because there's just nothing there.  Anyone posting anything to either platform is in most ways publicly accessible anyways.
    The problem is more that too many people don't have good security practices, so the same password they used for Facebook, might be the password they used for their bank account, or some other service that does have important information or consequences.

    dewme said:
    Facebook is like a nasty rash that is impervious to any known cure. But you know what? The people who use Facebook really don't care because Facebook, aka The Rash, fills a need in their lives and they are never going to stop using it. They've learned to live with The Rash and worry about other more important things in their lives, like who's going to get bumped from Celebrity Big Brother or Dancing with the Stars. There's only so many things in life that people can afford to give a **** about, and Facebook's utter disregard for subscriber privacy and security doesn't make the cut for many millions of people. 
    Yeah, I likewise haven't deleted it yet. I don't do anything important there anymore, and won't participate in many groups there. I don't post much there anymore and take any discussions off-line. I use it more as a place to potentially get stuff seen, though the impact w/o pay-to-play is pretty bad anymore. I really should just delete it, but I also don't want to limit channels to get my messages out.

    I doubt most people are just going to delete/wipe it, but I sure hope people start smartening up about what they post and do there. There are still 'experts' recommending Facebook as the best place to host private groups for discussion of sensitive topics... yikes! And, a lot of people I know still dump their entire lives up there, or have discussions (again, which they assume are semi-private) about things they wouldn't necessarily want made public. In light of all this, that's just insane behavior.

    M68000 said:
    It’s starting to sound like something from 1980’s computing.   It’s a complete embarrassment.  I would suggest anybody who uses Facebook or instagram makes 1 unique password that they use on nothing else’s in their lives.  Don’t you wish you worked there?  LOL
    Oh, heck yeah! You should do this for EVERYTHING, not just Facebook! (ie: a strong, unique password for every account of any kind)

    I told someone about this news, and they said... 'Oh, I'll change my Instagram password.' And, I was like, "No, I don't think you're understanding. You need to remember if you used your old password anywhere else, and then change those places! And sure, it ALSO wouldn't hurt to change your FB and Instagram passwords."

    retrogusto said:
    Yes, excellent point about it being no coincidence that they released this information on the same day as the release of the Mueller report, to guarantee that it wouldn’t be the top news of the day. 
    This happens with all kinds of stuff, including when Congress pushes through really controversial bills. Most people don't even hear about it, because EVEN IF the MSM were paying any attention (which they probably weren't anyway), the big news story will drown out even any other outlets reporting on it.
    watto_cobra
Sign In or Register to comment.