Facebook stored 'hundreds of millions' of passwords in plain text for years

Facebook stored 'hundreds of millions' of passwords in plain text for years

Facebook Inc. disclosed a flaw on its social network that made passwords of hundreds of millions of users visible to employees and said the issue has now been fixed. Pedro Canahuati, Facebook's vice-president of engineering, security and privacy, wrote that "we have found no evidence to date that anyone internally abused or improperly accessed" the passwords.

The basic security shortcoming was revealed on the heels of a series of controversies centered on whether Facebook properly safeguards the privacy and data of its users.

As KrebsonSecurity reports, a Facebook source who asked for anonymity confirmed that between 200 and 600 million users had their passwords stored free of encryption on the company's servers.

It's unclear how long Facebook left the passwords exposed, but the anonymous employee says the probe has so far uncovered archives containing plaintext user passwords dating back to 2012. "We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way".

This story has been published from a wire agency feed without modifications to the text. It will also notify tens of millions of other Facebook users and tens of thousands of Instagrammers.

More news: Woman almost dies after injecting herself with fruit juice

Alternatetitle: Facebook does literally the one thing you're never supposed to do with passwords, doesn't notice for years, hides it for months, then brushes it under the rug. Most of the accounts affected were using Facebook Lite, a version of the app designed for emerging markets.

"This caught our attention because our login systems are created to mask passwords using techniques that make them unreadable", he added.

At this stage in the investigation, the company is not requiring any users reset their passwords.

"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data", Facebook software engineer Scott Renfro told Krebs.

'In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this. "We want to make sure we're reserving those steps and only force a password change in cases where there's definitely been signs of abuse".