Facebook Stored Hundreds of Millions of User Passwords in Plain Text

It seems that Facebook cannot prevent itself from causing security and privacy problems. According to KrebsOnSecurity, hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees.

A anonymous Facebook insider talked with Brian Krebs. The insider said Facebook is still trying to determine how many passwords were exposed, and for how long. So far, the investigation has uncovered archives with plain text user passwords dating back to 2012.

KrebsOnSecurity also spoke with Facebook software engineer Scott Renfro. He said that the issue first came to light in January of 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

Facebook sent a written statement to KrebsOnSecurity, in which Facebook said it intends to notify “hundreds of millions of Facebook lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”

Facebook posted information on Facebook Newsroom titled: “Keeping Passwords Secure”. In it, Facebook acknowledges that, during a routine security review in January, they found some user passwords were being stored in a readable format within their internal data storage systems. Facebook says these passwords were never visible to anyone outside of Facebook.

The information from Facebook describes how they protect people’s passwords, and provides some suggestions for securing your Facebook and Instagram accounts. Personally, considering all the security and privacy issues that Facebook has faced, the most secure thing to do would be to delete your Facebook account.