Facebook has admitted that it stored the passwords of hundreds of millions of Facebook users in plain text. And while these passwords were only visible to Facebook employees, this is still another example of lax security inside the social network.
Facebook is having a torrid time. There was the Cambridge Analytica scandal, the spread of fake news, and ad campaigns influencing elections. There was also the Facebook hack affecting 50 million users, and the Facebook bug exposing users’ photos.
And now we discover that Facebook has been storing passwords in plain text.
Facebook Fails at Keeping Passwords Secure
In a blog post titled “Keeping Passwords Secure“, Facebook admits that “some user passwords were being stored in a readable format within our internal data storage systems”. That “some” actually means hundreds of millions of Facebook users.
Krebs on Security, which first reported the story, quotes a figure of “between 200 million and 600 million Facebook users,” and suggests these passwords were “searchable by more than 20,000 Facebook employees”. Which is no laughing matter.
— briankrebs (@briankrebs) March 21, 2019
Facebook says it has “fixed these issues” and “will be notifying everyone whose passwords […] were stored in this way”. The social network also claims it has “found no evidence to date that anyone internally abused or improperly accessed them”.
What’s more, Facebook has made it clear that it normally hashes and salts user passwords to avoid storing them in plain text. However, for undisclosed reasons, this system failed, exposing hundreds of millions of Facebook users’ passwords to Facebook employees.
Is It Time to Delete Facebook?
If you are one of the people affected by this issue, Facebook will be in touch. At that point, Facebook is suggesting you change your password and consider enabling two-factor authentication. Or you could just delete Facebook and finally be done with it.
It should be noted that this security issue appears to have hit Facebook Lite users particularly hard, as they make up the bulk of those affected. And while this may not exactly encourage you to use it, here’s our review of Facebook Lite from 2015.