Updated: With the disclosure that ‘millions’ of Instagram passwords have been stored in plain text. This story was originally published on March 21, 2019.
On (March 21) a blog on the official Facebook website, Facebook said that Facebook stored the passwords of the accounts of “hundreds of millions” of Facebook users, Facebook Lite and Instagram in the unencrypted text on its internal servers, where thousands of Facebook employees could view them. Posted.
This post was quickly followed by research by Brian Krebs, Freelance Information Security, who posted the story this morning on his blog. A Krebs source said that “between 200 million and 600 million” Facebook users may have exposed their passwords, and that more than 20,000 Facebook employees have accessed and seen those passwords.
The silver lining, at least for now, is that there is no evidence that account passwords left Facebook’s corporate headquarters, so to speak. There may be no need to change your Facebook or Instagram passwords, as long as the passwords are unique and strong. But this is a reminder that you must enable two-factor authentication to protect your Facebook account, preferably using an authentication app or a physical USB security key as a second factor.
“We haven’t found any cases so far in our investigations where someone was intentionally looking for passwords, and we haven’t found signs of misuse of this data,” Facebook software engineer Scott Renfro told Krebs.
Facebook, like all other websites that require user permission, is supposed to not store passwords in plain text, but instead “hash” the passwords using a one-way encryption algorithm and then store the hashed versions.
When you log in with your password, the backend hash what you type using the same algorithm, and then compares the resulting hash to the hash on the server for you. If the hash matches, you have granted access to the site.
But, it didn’t quite happen this time. In January, Facebook employees reviewing the code noticed that some Facebook web apps were logging and storing daemon passwords on Facebook’s internal servers, Krebs said. These apps weren’t new, either – some seem to have been logging unencrypted passwords since 2012.
Since then, an anonymous Facebook source told Krebs, about 2,000 Facebook employees made “about nine million internal inquiries” for data that would have included user passwords.
Facebook did not confirm these kinds of numbers in its blog post, but estimated that it would “notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” that their passwords had been exposed to Facebook employees.
Facebook Lite is a low-resource version of Facebook designed for slow internet connections and low-power smartphones.
UPDATE: On April 18, 2019, Facebook updated its original blog post on the matter to say that not “dozens”, but “millions” of Instagram passwords were stored in a readable format. Facebook said it plans to notify these users, but none of them have been exploited or improperly accessed.