Over the past few years, Facebook hasn’t done much to convince users that it takes user privacy as seriously as it should. Indeed, it seems that the social networking giant can’t even go a month without some new scandal or security breach making the news. Most recently, Facebook revealed that the passwords of hundreds of millions of Facebook and Instagram were improperly stored in plain text on internal servers. In short, Facebook employees could have potentially looked up the passwords for individual users, though there’s no indication that this actually happened.
Nonetheless, many would argue that Facebook hasn’t exactly earned the benefit of the doubt with respect to security and user privacy.
In a blog post addressing the issue, Facebook relays that it found no evidence that any employee improperly accessed said passwords. Further, the company — in the interest of full disclosure — said it would notify users whose passwords were stored in plain text about the security lapse.
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the post reads in part.
Shedding more light on the matter, security researcher Brian Krebs, citing a source within Facebook, relays that upwards of 600 million users were impacted and that 20,000 Facebook employees could have accessed the plain text passwords which were searchable as far back as 2012.
My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
Is this a huge scandal? Not really. Still, given how much personal information people tend to store on Facebook, the idea of one’s password being stored in plain text will likely not sit will with many.
As a final point, it’s worth noting that no users will have to reset their passwords.