Facebook stored hundreds of millions of passwords in plain text

We all know that Facebook’s views on security and privacy leave a lot to be desired. Something which is concerning considering hundreds of millions of people use the social media platform to interact with on a daily basis. It appears that their level of ineptitude may have taken a turn for the worst, as Facebook was exposing most of their user’s passwords to Facebook employees in the clear.

According to Krebs on Security, although user passwords have for the most part always been hashed (a process where passwords are encrypted directly into the database and thereby completely unreadable to even the company) a series of errors has led to certain Facebook-branded apps leaving passwords in the clear of the servers and thereby being completely accessible to all of its employees (which numbers nearly 20 000). And this is not a hoax, as Facebook has confirmed the existence of the issue in a recent blog post.

According to FaceBook, there is no evidence that passwords were ever exposed outside of the company or that these passwords were ever abused internally. Abused that is, because apparently as many as 2000 people have reportedly browsed through the passwords since 2012 – meaning the company has been aware of the issue for a long time.

This is obviously a massive violation of not only industry best practices, but their own terms of service which make mention that your password will be stored in a secure manner. That the issue has been known for so long also show massive negligence on the part of the company, as this should be a priority fix and something which should’ve been addressed the moment it was discovered. Considered this is also something that is fairly easy to do, makes it all the more glaring.

Many companies would fire people and see executives resign over such a blatant security flaw, though at the moment it seems unclear if Facebook is going to do anything of the sort. And given their dodgy track record, I wouldn’t trust Mark Zuckerberg to do anything about it either.

The issue has reportedly been fixed now so if you haven’t already done so while reading this article – go change your Facebook password now, just to be safe. Or just delete your account entirely, you probably won’t regret it.

Last Updated: March 25, 2019