So you may have heard, but the past few years haven’t been so great for Facebook when it comes to public relations. But if you’ve been wondering what could possibly make things worse, here’s an idea: what if it turns out Facebook was caught storing hundreds of millions of users’ passwords in plain text?
Oh wait, that’s not hypothetical. It actually happened.
Facebook is promising to notify affected users and urge them to change their passwords. But if you don’t feel like waiting, there’s probably no down side to changing your password today. You might want to change your Instagram password while you’re at it.
So here’s the deal: during a “routine security review,” Facebook discovered in January that hundreds of millions of user passwords had been stored “in a readable format within our internal data storage systems.”
That’s not supposed to happen. The company says when you create a password for your Facebook account, it’s supposed to be encrypted so that you can use your password to login to your account, but nobody at the company is supposed to be able to read it in plain text.
Clearly something broke down though, because security reporter Brian Krebs says unencrypted password data for somewhere between 200-million and 600-million accounts was logged and stored in plain text. Some of that data was recorded as long ago as 2012, and it was accessible to as many as 20-thousand Facebook employees.
According to Facebook, most of the accounts affected were for folks using Facebook Lite, a stripped-down version of the company’s app designed for markets with limited or unreliable internet access. But “tens of millions of other Facebook users” and “tens of thousands of Instragram users” were also affected.
Facebook acknowledged the issue after Krebs reported on the plain-text-password situation earlier today. And while the company says the passwords “were never visible to anyone outside of Facebook” and that there’s “no evidence to date that anyone internally abused or improperly accessed them,” Krebs has a source that says 2-thousand Facebook engineers or developers made about 9-million “internal queries for data elements that contained plain text user passwords.”
So yeah… change your password. And maybe enable 2-factor authentication.