Facebook has been storing unencrypted passwords for years
Facebook acknowledged that it has stored millions user passwords in plain text for years. This makes them accessible for Facebook employees to view. KrebsOnSecurity, which first reported the news, said that 200 to 600 million passwords were stored in plain text as early as 2012, and were searchable by thousands of Facebook employees. Plain text means that the stored passwords are unencrypted, meaning they can be easily accessed and read by people who had access to Facebook's internal data storage systems.
Pedro Canahuati, vice president of engineering, security and privacy at Facebook said As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems, This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
Facebook notified hundreds of millions of Facebook Lite users which is a version of Facebook used by people in areas with limited connectivity, as well as millions of other Facebook users, and thousands of Instagram users. Canahuati stated that the passwords were never visible to anyone outside of Facebook and that Facebook has found no evidence that anyone internally abused or improperly accessed them. Krebs reported that 2,000 engineers or developers made over nine million internal queries for data elements containing plain text user passwords.
Security researcher Troy Hunt said that the issue with Facebook seems similar to a Twitter glitch had last year, where they inadvertently logged passwords in plaintext. Twitter said that the glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling to change their passwords. There is no evidence that the passwords were exposed.
The exposure of account passwords is not only a threat to the information stored in those accounts, but any private information stored in a Facebook enabled applications. Password reuse attacks are also a factor in any incident like this since anyone who uses their Facebook password for other systems should change it there as well.
Facebook has been looking at the ways it stores certain other categories of information, such as access tokens, and is fixing the problems as they are discovered. With the Cambridge Analytica scandal that occurred about a year ago, to several other Facebook security problems over the past year, Facebook continues to be criticized for data privacy issues.