Millions of Facebook Passwords Stored in Plain Text


One journalist reveals that Facebook's passwords are in a simple storage that can be accessed by the social media site's employees and some can be traced as early as 2012 / Photo by: PDPics via Pixabay


A report by cybersecurity journalist Brian Krebs on Thursday revealed that hundreds of millions of Facebook user account passwords were stored in plain text and searchable by thousands of employees of the social networking site, with some cases going back to 2012.

A Facebook insider said the social network is investigating a series of security slip-ups in which employees developed applications that can log unencrypted password data for Facebook users, as well as store it in plain text on the company's internal servers. They added that up to 600 million Facebook users may have had their passwords stored in plain text, which could also be searched by over 20,000 of the company's employees, Krebs wrote.

The social media firm is still trying to figure out the number of exposed passwords, as well as how long they were in the said state. So far, the probe has only uncovered archives of account passwords in plain text that date back to 2012, he added, citing the source.

Access logs showed that 2,000 developers conducted about nine million internal queries regarding data elements that have plain text of the users' passwords.

"The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of users affected by the matter, the source said, adding that the company is now working on an attempt to lower that number even more "by only counting things we have currently in our data warehouse.”

Facebook was not prepared to discuss specific numbers like the number of employees who may have had access to the data, the company’s software engineer Scott Renfro told Krebs. He said the firm was planning to notify their users but that they did not have to change or reset their passwords.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” the engineer said.

He explained that they found the passwords were "inadvertently logged" but that there was no real threat that stemmed from the issue. "We want to make sure we’re reserving those steps and only force a password change in cases where there have definitely been signs of abuse.”