Facebook stored 'hundreds of millions' of unencrypted passwords on internal servers
Adding to multiple security controversies, Facebook is reportedly investigating problems which led to "hundreds of millions" of unencrypted, plain-text passwords being stored on internal servers.
The data accumulated as a result of apps built by Facebook staff, said Krebs on Security, citing an anonymous senior Facebook employee. As many as 200 million to 600 million accounts may have been affected, and searchable by over 20,000 employees, the person said. The exact number of accounts exposed is uncertain, although some of them may have been vulnerable as far back as 2012.
Access logs are said to show that about 2,000 engineers and other developers made some 9 million internal queries for data that contained the passwords.
"The longer we go into this analysis the more comfortable the legal people are going with the lower bounds [of affected accounts]," the source added. "Right now they're working on an effort to reduce that number even more by only counting things we have currently in our data warehouse."
A Facebook engineer willing to go on record, Scott Renfro, acknowledged the situation and said that an official announcement should be made later today, even though the company won't have specific numbers and won't force anyone to do a password reset.
"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data," Renfro claimed. "In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this. We want to make sure we're reserving those steps and only force a password change in cases where there's definitely been signs of abuse."
The company said similar things in a written statement, but added that impacted accounts include Facebook Lite and Instagram users too.
Facebook uncovered the problem in January when engineers were reviewing new code, Renfro explained. Why it wasn't immediately disclosed isn't presently clear.
"This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening," he said. "We have a bunch of controls in place to try to mitigate these problems, and we're in the process of investigating long-term infrastructure changes to prevent this going forward. We're now reviewing any logs we have to see if there has been abuse or other access to that data."
Facebook has come under intense scrutiny thanks to a variety of security and privacy scandals, two of the most recent involving data sharing deals with companies like Apple, Amazon, Microsoft, and Sony, plus people being able to look up strangers based on phone numbers submitted for two-factor authentication. By far the biggest though is Cambridge Analytica, which has attracted investigations by the U.S. and UK governments over voter data collected without most users' consent. Facebook could potentially end up paying billions in U.S. fines.