An exclusive Krebs on Security report has revealed that Facebook stored passwords for hundreds of millions of users in plain text, making them easily searchable by thousands of Facebook employees. Facebook has already acknowledged the incident, saying that it has found no evidence so far about its staff improperly accessing those passwords.
The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012.
The social media giant has said that it will be notifying hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users about the issue.
The company’s internal investigation found that at least 2,000 Facebook employees searched through the files containing passwords, though it’s not clear what for. Here’s what Facebook wrote in its statement:
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way.”
Since Facebook believes the plain text passwords were never exposed outside of the company or abused internally, users won’t be required to reset their passwords.
You can read Facebook’s full statement regarding the incident at this link.