Millions of users on the social media platform Facebook had their accounts password being stored in plain readable format, searchable by thousands of Facebook employees. While a report by security firm KrebsOnSecurity said some of the cases go back to 2012, a Facebook investigation revealed no kind of abuse to this data.
The company in a blog post admitted storing passwords of users in plain readable text for years, making them vulnerable to hackers or anyone for who would have internal access to the files.
‘As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,’ said Facebook.
‘To be clear, these passwords were never visible to anyone outside of the company and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity,’ added the company,
In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them. In security terms, these techniques are called ‘hash’ and ‘salt’ the passwords, including using a function called ‘scrypt’ as well as a cryptographic key that lets irreversibly replace your actual password with a random set of characters.
With this technique, the social media giant validates that a person is logging in with the correct password without actually having to store the password in plain text.
However, Krebs on Security believes that, a vulnerability in few of the Facebook-branded apps left passwords accessible to over 20,000 company employees.
‘To minimise the reliance on passwords, we introduced the ability to register a physical security key to your account, so the next time you log in you’ll simply tap a small hardware device that goes in the USB drive of your computer. This measure is particularly critical for high-risk users including journalists, activists, political campaigns and public figures,’ the company commented.