Facebook Left Millions of Passwords Unhashed

Written by

During a routine security review in January 2019, Facebook discovered that some user passwords had been stored in plain text on its internal data storage systems, an issue that raised concerns given that the company’s login system is supposed to mask passwords, according to the Facebook newsroom.

The security flaw has reportedly been fixed, and Facebook said it will be notifying everyone whose passwords were unencrypted, which it said could be hundreds of millions of Facebook users in addition to tens of thousands of Instagram users.

The social media platform did emphasize in its news release that “these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

According to Facebook's security policy, user passwords are supposed to be hashed and salted at the time an account is created, which makes them unreadable. However, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords,” an unidentified Facebook source told KrebsonSecurity.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source told Krebs. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

Unfortunately for Facebook, each new headline seems to chip away at what is left of public trust, according to Terence Jackson, chief information security officer (CISO) at Thycotic.

“Another day, another Facebook breach of trust,” Jackson said. “As a CISO, the first question that comes to mind is, was this a flaw in the system or an accepted risk? Assuming they are following an SSDLC, this should have definitely been a core protection built into the system.  

"Because there is no evidence that anyone external to Facebook had access to the unencrypted passwords is not reassuring. As a Facebook user, I question why would an internal employee need access to my unencrypted password. Ultimately it’s still up to the consumer to govern data shared with services like these. This won’t likely be the last of Facebook’s trust failures.”

What’s hot on Infosecurity Magazine?