As per to a KrebsonSecurity report, Facebook passwords of about 600 million users were kept on the company’s servers in plain text, which quotes a high-ranking Facebook employee. The passwords were searchable by more than 20,000 Facebook employees, the report further added.
In the recent time, the analysis so far has shown documentations of user passwords in plain text dating back to the year 2012, however Facebook’s investigation still appears to be underway and is in progress. Facebook in a blog post also denied that the passwords were visible to anyone outside of the company or harmed or unsuitably retrieved by its employees.
The matter was first highlighted in January 2019 by the company’s security engineers, Facebook software engineer Scott Renfro told KrebsonSecurity. Facebook in the post on their official site said, “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems”.
In the meantime, Facebook has also said that it has secured the matter and it will be informing everyone whose passwords have been kept in plain text.
Facebook tweeted, “Out of an abundance of caution, we are telling people so that they can change passwords if they choose”.
The company said it estimations to inform “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” However it did not give out precise numbers of operators whose passwords were uncovered, the report puts it in the middle of 200 million to 600 million.
Facebook informs, “We have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify this to hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
The users of Facebook and Instagram are advised to change their passwords. Even though on the other hand Facebook claims that there was no proof of abuse of uncovered passwords. Two-factor verification is also suggested as it adds an additional cover of security. The feature needs users to fill a code every time they log in to their account.
Pedro Canahuati, VP Engineering, Security and Privacy at Facebook write, “We have fixed these issues and as a precaution will be notifying everyone whose passwords we found stored this way”.
Facebook advised, “Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you”.
