Another day, another Facebook-related revelation. We all know by now that Facebook has been mining data about its users for quite a while. All kinds of info on relationships, phone call logs, politicals views and more were leaked.
Now, it seems that Facebook “may have inadvertently extracted another bit of critical information: users’ login credentials, stored unencrypted on Facebook’s servers and accessible to Facebook employees,” according to Ars Technica. This does not sound good at all.
Passwords logged in plain text since back in 2012
The online magazine reports that Brian Krebs said that hundreds of millions of Facebook users have had their passwords logged in plain text by all sorts of apps written by Facebook employees. This means that there was a lack of encryption.
These credentials were searched by about 2,000 Facebook engineers and developers more than 9 million times, says a Facebook senior who spoke to Krebs.
Via a recent blog post, Facebook Vice President of Engineering, Security, and Privacy Pedro Canahuati reports that the unencrypted passwords were found during “a routine security review in January” on Facebook’s internal network data storage.
The post continues and explains that “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and, as a precaution, we will be notifying everyone whose passwords we have found were stored in this way.”
Canahuati also said that the passwords were never visible to anyone outside Facebook and that there was “no evidence to date that anyone internally abused or improperly accessed them… We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
But we doubt that this explanation is enough for Facebook’s users especially after all the issues regarding users’ data that have been happening over time.
Ars Technica also says that Facebook Lite users were the most affected, but other apps were also involved.
Facebook’s advice is to change your password.