Facebook Admits Storing Passwords in Plain Text

Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.


Facebook has admitted that it stored the passwords of hundreds of millions of Facebook users in plain text. And while these passwords were only visible to Facebook employees, this is still another example of lax security inside the social network.

Unlock the free "Facebook Security Checklist" now!

This will sign you up to our newsletter

Enter your Email

Facebook is having a torrid time. There was the Cambridge Analytica scandal Facebook Addresses the Cambridge Analytica Scandal Facebook Addresses the Cambridge Analytica Scandal Facebook has been embroiled in what has come to be known as the Cambridge Analytica scandal. After staying silent for a few days, Mark Zuckerberg has now addressed the issues raised. Read More , the spread of fake news, and ad campaigns influencing elections. There was also the Facebook hack affecting 50 million users Facebook Hack Affects 50 Million Accounts Facebook Hack Affects 50 Million Accounts Around 50 million Facebook users may have had their accounts accessed as part of a major security breach. Which isn't good news. Read More , and the Facebook bug exposing users’ photos Facebook Bug Exposes Users' Photos Facebook Bug Exposes Users' Photos A Facebook bug means thousands of third-party apps had temporary access to photos they didn't have permission to view. Read More .

And now we discover that Facebook has been storing passwords in plain text.

Facebook Fails at Keeping Passwords Secure

In a blog post titled “Keeping Passwords Secure“, Facebook admits that “some user passwords were being stored in a readable format within our internal data storage systems”. That “some” actually means hundreds of millions of Facebook users.

Krebs on Security, which first reported the story, quotes a figure of “between 200 million and 600 million Facebook users,” and suggests these passwords were “searchable by more than 20,000 Facebook employees”. Which is no laughing matter.

Facebook says it has “fixed these issues” and “will be notifying everyone whose passwords […] were stored in this way”. The social network also claims it has “found no evidence to date that anyone internally abused or improperly accessed them”.

What’s more, Facebook has made it clear that it normally hashes and salts user passwords to avoid storing them in plain text. However, for undisclosed reasons, this system failed, exposing hundreds of millions of Facebook users’ passwords to Facebook employees.

Is It Time to Delete Facebook?

If you are one of the people affected by this issue, Facebook will be in touch. At that point, Facebook is suggesting you change your password and consider enabling two-factor authentication. Or you could just delete Facebook and finally be done with it.

It should be noted that this security issue appears to have hit Facebook Lite users particularly hard, as they make up the bulk of those affected. And while this may not exactly encourage you to use it, here’s our review of Facebook Lite Facebook Lite: Is It a Worthy Facebook Replacement? Facebook Lite: Is It a Worthy Facebook Replacement? Facebook has announced a new Android app called Facebook Lite, which is a version of Facebook built from scratch to work smoothly with poor data connections and low-end phones. Read More from 2015.

Explore more about: Encryption, Facebook, Online Security, Password.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Pat
    March 22, 2019 at 3:37 pm

    Never had a Facebook account, never will.