Hundreds of millions of users on Facebook had passwords for accounts stored in plain text and searched by thousands of Facebook employees – in some cases from 2012, KrebsOnSecurity learned. Facebook claims that the investigation so far has found no evidence that employees have abused access to this data. on internal company servers. This is according to a senior Facebook official who is familiar with the investigation and who has spoken on condition of anonymity because he is not authorized to talk to the press. Users may have saved their account passwords in plain text and can be searched by more than 20,000 Facebook employees. The source claims that Facebook is still trying to determine how many passwords have been exposed and how long, but so far the study has found archives with plain text user passwords since 201
2000 engineers or developers have made approximately nine million internal queries for data items that contain custom passwords for plain text.
"The longer we go into this analysis, the more comfortable the legitimate people [at Facebook] with the lower bounds» of the affected users, the source said. "They are currently working on their efforts to reduce this number even further by counting the things we have in our repository."
In an interview with KrebsOnSecurity, Scott Renfro, Facebook's software engineer said: "The company is not ready to talk about specific figures, such as the number of Facebook employees who might have access to the data.
Renfro said the company is planning to alert Facebook users, but no reset passwords will be required.
] "So far, we have not found any cases in our investigations where someone was looking for passwords, nor did we find any signs of abuse of this data," Renfro said. "In this situation, we found that these passwords were inadvertently registered, but there was no real risk to come from that. We want to make sure that we keep these steps and only force a password change in cases where there are definitely signs of abuse. "
A Facebook statement made available to KrebsOnSecurity says the company expects to inform" hundreds of millions of Facebook Light users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a Facebook version designed for low-speed connections and low-end phones.
Both Github and Twitter were forced to recognize similar problems encountered in recent months, but in both cases user-generated passwords in plain text were accessible to a relatively small number of people within these organizations and for much shorter periods of time . January 2019, when security engineers reviewing some newly-noticed passwords were unintentionally recorded in plain text.
"This has led the team to set up a small working group, we are sure we made a comprehensive overview of everything that could happen," Renfro said. "We have many controls that are trying to mitigate these problems and we are in the process of exploring long-term infrastructure changes to prevent this. Now we review all logs that we need to see if there was abuse or other access to this data.
Facebook password mistakes appear against a difficult month for the social network. Last week The New York Times reported that federal prosecutors are conducting a criminal investigation into data transactions made by Facebook with some of the world's largest companies.
Earlier in March, Facebook was subjected to a firefighters and confidentiality experts to use phone numbers provided for security purposes – like two-factor authentication – for other things (such as marketing, making users search for their phone numbers on different social networking platforms).
Update, 11:43 am: Facebook has posted a statement about this incident here.
Tags: Facebook, plaintext passwords, Scott Renfro
You can skip to the end and leave a comment. Pinging is currently not allowed.