Facebook ‘exposed hundreds of millions of passwords’ on internal network
Published On: March 22, 2019 |
Facebook's security and privacy practices have come in to question again after it was revealed that the social network has been keeping hundreds of millions of user passwords in plaintext form on its internal systems, which could have allowed anyone with access to compromise accounts.
Between 200 million and 600 million accounts are thought to have been affected by the issue, according to security researcher Brian Krebs, who first broke the news, with some of these accounts going back as far as 2012.
It means that anyone with access to Facebook's internal network, which could be as many as 20,000 employees, would have been able to search the database and discover passwords due to a lack of encryption.
A source at the company told Mr Krebs that access logs revealed around nine million data queries had been made for information containing these plaintext passwords, by around 2,000 engineers and developers.
The security flaw could also mean that if Facebook's internal systems were compromised, a hacker could easily extract the unprotected passwords, though there is no indication at this stage that any of this information has been misused.
In a statement, Facebook acknowledged the issue and said it has taken steps to fix the problem, and will be notifying every user whose passwords were stored in this way.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," the company continued.
Best practice guidelines for stored user passwords require them to be encrypted using 'hashing' techniques, which ensure that details are replaced on a firm's system with a random collection of characters that cannot be decrypted. Facebook added that these standards are in use on the company's systems, but some passwords were "inadvertently" stored in plaintext instead.
The latest security issue comes after a difficult few months for Facebook, which has already had to deal with questions about how it uses the vast amount of data it collects about its users, and had around 50 million accounts potentially compromised in a data breach.
Share This Post, Choose Your Platform!
With over 20 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.