So you may have heard, but the past few years haven’t been so great for Facebook when it comes to public relations. But if you’ve been wondering what could possibly make things worse, here’s an idea: what if it turns out Facebook was caught storing hundreds of millions of users’ passwords in plain text?

Oh wait, that’s not hypothetical. It actually happened.

Facebook is promising to notify affected users and urge them to change their passwords. But if you don’t feel like waiting, there’s probably no down side to changing your password today. You might want to change your Instagram password while you’re at it.

So here’s the deal: during a “routine security review,” Facebook discovered in January that hundreds of millions of user passwords had been stored “in a readable format within our internal data storage systems.”

That’s not supposed to happen. The company says when you create a password for your Facebook account, it’s supposed to be encrypted so that you can use your password to login to your account, but nobody at the company is supposed to be able to read it in plain text.

Clearly something broke down though, because security reporter Brian Krebs says unencrypted password data for somewhere between 200-million and 600-million accounts was logged and stored in plain text. Some of that data was recorded as long ago as 2012, and it was accessible to as many as 20-thousand Facebook employees.

According to Facebook, most of the accounts affected were for folks using Facebook Lite, a stripped-down version of the company’s app designed for markets with limited or unreliable internet access. But “tens of millions of other Facebook users” and “tens of thousands of Instragram users” were also affected.

Facebook acknowledged the issue after Krebs reported on the plain-text-password situation earlier today. And while the company says the passwords “were never visible to anyone outside of Facebook” and that there’s “no evidence to date that anyone internally abused or improperly accessed them,” Krebs has a source that says 2-thousand Facebook engineers or developers made about 9-million “internal queries for data elements that contained plain text user passwords.”

So yeah… change your password. And maybe enable 2-factor authentication.

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign


Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

Subscribe to Liliputing via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 9,457 other subscribers

7 replies on “Now’s as good a time as any to change your Facebook password”

  1. When they say ‘there’s no evidence that anyone misused that massive list of passwords’, Does that mean they didn’t really look for evidence that the list was abused? -or am I being too cynical!

    Its hard to believe so many people could have so much temptation and not even look at spouse or child’s page account at least once!

  2. How in the heck is Facebook, one of the wealthiest companies in the world, not being sued with such negligent security? This is clearly a breach of contract because Facebook allows transactions in their network meaning their users’ financial information has been at risk and potentially could have been compromised.

    1. Wells Fargo created unauthorized accounts and credit lines on behalf of their unaware customers for years yet no executive was charged. Why would you think anyone in Facebook would be charged?

  3. Sigh… you know, downloading porn on dialup in ASCII-art from a BBS was not that great, but we sure didn’t have this many hacks, even thou everybody’s password for everything was just ‘1234’ or ‘password’.

Comments are closed.