Facebook Discovers Another Data Security Issue, with Millions of Passwords Inadequately Stored
Honestly, this summarizes so well what it seems, at least from the outside, to be like at Facebook HQ at the moment.
"working at facebook is like living the Sideshow Bob stepping on rakes GIF" — FB employee, to me— rat king (@MikeIsaac) March 21, 2019
Facebook's latest 'rake' comes in the form of password storage - or more specifically, inadequate internal password storage, which could easily have opened millions of accounts up to hackers.
As explained by Facebook:
"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."
That 'readable format' was in plain text, which was used internally by Facebook employees. For an unexplained reason, Facebook had used this listing for certain tasks - Facebook says that there's no evidence the data was shared to anyone outside of Facebook, and that they wouldn't be able to read the information if it was, but it has been accessible to some 2,000 internal engineers and developers, which is a considerable vulnerability.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity."
Interesting qualifier in the last line - "don't worry, it was mostly poor people who were affected".
The actual number of accounts impacted is estimated by web security researcher Brian Krebs to be around 600 million, or a fifth of the company’s 2.7 billion users across Facebook and Instagram, though Facebook has not confirmed any official number at this stage.
But even without official confirmation, it's in the millions - Facebook had a form of plain text which listed millions of user passwords, which could, potentially, have been utilized by hackers. There's no evidence of this happening, but again, it was a vulnerability, and Facebook is now taking action to address it.
In his notes on the discovery, Krebs says that other platforms like Github and Twitter have also used plain text documents to store passwords in the past to assist with internal functions, but in those cases, the information was available to a relatively small number of people within each organization, and for far shorter periods of time. Facebook's plain text listing goes back as far as 2012, according to Krebs' source.
Even though there's no evidence that this information has been shared beyond Facebook, at best, it's another headache for the company, another incident which raises questions over its capacity to handle sensitive information, and manage user privacy.
"There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook."
Which, at this stage, is all you can ask for - but still, coupled with the Cambridge Analytica scandal, the discovery of various bugs which have exposed elements of people's Facebook accounts to hackers, and more recently, the revelation that Facebook has been using people's phone numbers - uploaded for security purposes - for discovery and targeting, it doesn't paint a picture of stable and secure process at the most used social media platform in the world.
Will this be the final straw that sparks greater regulation, which prompts government groups to act and impose stricter controls on Facebook's process? Even if it's not, it's another significant weight hanging on the opposite side of the scales for Zuck and Co.
Follow Andrew Hutchinson on Twitter