Asia's Source for Enterprise Network Knowledge

Monday, April 22nd, 2019

Security

Facebook passwords for hundreds of millions of users were exposed to Facebook employees

First iOS trojan exploiting Apple DRM design flaws infects any iOS device

Facebook confirmed that hundreds of millions of user passwords were being stored in a “readable format” within its servers, accessible to internal Facebook employees. Affected users will be notified, Facebook said, so they can change those passwords.

Interestingly, Facebook downplayed and confirmed the problem in the same post, filed Thursday, after researcher Brian Krebs issued his own report.  Facebook’s Pedro Canahuati, vice president of engineering for security and privacy, initially referred to “some” user passwords that were accessible to Facebook employees. A paragraph later, he revealed that “hundreds of millions of Facebook Lite users, millions of Facebook users, and tens of thousands of Instagram users” would be notified.

(Facebook Lite was launched in 2009, initially in the U.S. and India, as a simplified version of Facebook accessible to those without access to high-bandwidth internet services. It has since been pushed to many other countries. The vast majority of U.S. users use the full version of Facebook.)

Facebook said that the issue is an internal one. “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati wrote.

Facebook also discovered issues with how it stored information for things like access tokens, and fixed them. “There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” Canahuati wrote.

Researcher: 20,000 employees had access Krebs paints a different story. Though Krebs stressed that he had no information that Facebook employees had abused their ability to read user passwords, a source told him that employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.

In total, between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees, dating back to 2012, Krebs wrote.

Somewhat oddly, a Facebook engineer named Scott Renfro told Krebs, “What we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this.”

Facebook has already had to deal with scandals that include the aftermath of a terrorist in New Zealand livestreaming his attack on a Christchurch mosque on Facebook Live, and changes made to its advertising policies to prevent discrimination in housing and credit advertising. And those were just the last two days.