Facebook reportedly stored hundreds of millions of user passwords in plain text, with the data accessible by employees for many years, a security expert has claimed.
KrebsOnSecurity reports up to 600 million Facebook users may have been affected by the practice, which left the plain text passwords stored on a databased searchable by more than 20,000 staff at Facebook.
Those staff made nine million ‘internal queries date data elements’ that contained those exposed passwords, the report says. The source has also uncovered an archive suggesting this practice goes all the way back to at least 2012.
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, that source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
Related: How to delete your Facebook account
Facebook has commented on the report. It doesn’t deny passwords were stored in plain text, but claims there has been no breach of its password database and will not be triggering a password reset as a result.
It put forward a software engineer to speak with Krebs who says the passwords were inadvertently logged. He also said the company isn’t going to comment on numbers of passwords, the length of time the passwords were stored in plain text, or how many employees may have accessed them during that time.
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Scott Renfro said.
“In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
The revelation could not come at a worse time for Facebook as founder and CEO Mark Zuckerberg seeks to rebrand the company as a privacy-first platform. Of course, there was also a time when Zuck reportedly referred to early Facebook users as “dumb f***ks” for expecting privacy.
What do you make of this latest Facebook privacy worry? Has it moved you a step closer to cancelling your account? Let us know @TrustedReviews on Twitter.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
