Click to Skip Ad
Closing in...

Shocker! Facebook improperly stored hundreds of millions of passwords in plain text

Published Mar 21st, 2019 4:20PM EDT
Facebook Security
Image: Richard Drew/AP/Shutterstock

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Over the past few years, Facebook hasn’t done much to convince users that it takes user privacy as seriously as it should. Indeed, it seems that the social networking giant can’t even go a month without some new scandal or security breach making the news. Most recently, Facebook revealed that the passwords of hundreds of millions of Facebook and Instagram were improperly stored in plain text on internal servers. In short, Facebook employees could have potentially looked up the passwords for individual users, though there’s no indication that this actually happened.

Nonetheless, many would argue that Facebook hasn’t exactly earned the benefit of the doubt with respect to security and user privacy.

In a blog post addressing the issue, Facebook relays that it found no evidence that any employee improperly accessed said passwords. Further, the company — in the interest of full disclosure — said it would notify users whose passwords were stored in plain text about the security lapse.

“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the post reads in part.

Shedding more light on the matter, security researcher Brian Krebs, citing a source within Facebook, relays that upwards of 600 million users were impacted and that 20,000 Facebook employees could have accessed the plain text passwords which were searchable as far back as 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

Is this a huge scandal? Not really. Still, given how much personal information people tend to store on Facebook, the idea of one’s password being stored in plain text will likely not sit will with many.

As a final point, it’s worth noting that no users will have to reset their passwords.

Yoni Heisler Contributing Writer

Yoni Heisler has been writing about Apple and the tech industry at large with over 15 years of experience. A life long expert Mac user and Apple expert, his writing has appeared in Edible Apple, Network World, MacLife, Macworld UK, and TUAW.

When not analyzing the latest happenings with Apple, Yoni enjoys catching Improv shows in Chicago, playing soccer, and cultivating new TV show addictions.