By Andrew Irumba
Facebook has admitted that hundreds of millions of its users had their account passwords stored in plain text and searchable by thousands of Facebook employees.
It also admitted to have mishandled sensitive passwords for hundreds of millions of its users, primarily those who use its Facebook Lite product. The disclosure casts doubt on the company’s abilities to protect its users’ information as it focuses more on privacy.
In a blog post on Thursday prompted by a report by cyber-security reporter Brian Krebs, it admitted it didn’t properly mask the passwords of hundreds of millions of its users and stored them as plain text in an internal database for years that could be accessed by its staff.
The company said that the discovery of the exposed passwords was made during a security review in January and launched an investigation. Facebook did not say how long it had been storing passwords in this way.
The Company admitted that none of the passwords were visible to anyone outside of Facebook, but logs were accessible to some 2,000 engineers and developers as Krebs said.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Pedro Canahuati, a Facebook vice president wrote on Thursday in a post titled, “Keeping Passwords Secure.”
“Facebook typically” masks people’s passwords when they create an account so that no one at the company can see them,” he added.
Hundreds of millions of users of Facebook Lite had been impacted, while tens of millions of regular Facebook users and tens of thousands of Instagram users were affected, the company said.
Facebook Lite, a simplified version of Facebook designed to work on slower internet connections, is popular among people in parts of the world with less connectivity. The Company admitted notifying affected users.
Keeping passwords hashed, or encrypted is widely regarded as fundamental to cyber security.
“Encrypting passwords is Security 101,” said Marcus Carey, the CEO Threat care, an Austin cyber security company. “If they can’t get the basic principles of cyber security right, they are surely failing on the tougher challenges.”
It’s not the first time that Facebook encounters cyber security problems
In September, the company faced a number of cyber security problems; an attack on Facebook exposed the private profile information for nearly 50 million of the social network’s users.
Facebook announced in December it exposed the private photos as many as 6.8 million users without their permission.
Earlier this month, the company said it was pivoting to a privacy-focused model by adding end-to-end encryption to its various messaging services.
How Facebook Protects People’s Passwords
The Company admits masking people’s passwords when they create an account so that no one at the company can see them.
In security terms, Facebook “hashes” and “salts” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets it (Facebook) irreversibly replace user’s actual password with a random set of characters.