Facebook Stored Millions of Passwords in Plaintext—Change Yours Now
By now, its difficult to summarize all of Facebooks privacy, misuse, and security missteps in one neat description.
It just got even harder: On Thursday, following a report by Krebs on Security, Facebook acknowledged a bug in its password management systems that caused hundreds of millions of user passwords for Facebook, Facebook Lite, and Instagram to be stored as plaintext in an internal platform.
Organizations can store account passwords securely by scrambling them with a cryptographic process known as hashing before saving them to their servers. This way, even if someone compromises those passwords, they won't be able to read them, and a computer would find it difficulteven functionally impossibleto unscramble them.As a prominent company with billions of users, Facebook knows that it would be a jackpot for hackers, and invests heavily to avoid the liability and embarrassment of security mishaps.
On April 18, four weeks after the initial disclosure, the company sharply revised the number of affected Instagram accounts upward.
Facebook now estimates that the incident caused "millions" of Instagram passwords to be stored in plaintext, rather than tens of thousands.
For such a prominent target, Facebook has had relatively few technical security failures, and in this case appears not to have been compromised. But the companys track record was severely marred by a breach in September, in which attackers stole extensive data from 30 million users by compromising their account access tokensauthentication markers generated when a user logs in.
Facebook says that the plaintext password issue is now fixed, and that it doesnt think there will be long-term impacts from the incident, because the passwords were never actually stolen.
We use cookies and analyse traffic to this site. By continuing to use this site, closing this banner, or clicking "I Agree", you agree to the use of cookies. Read our privacy poplicy for more information.