Facebook saved many millions of unencrypted passwords
Facebook admits that the company has stored unencrypted passwords from millions of users on one of its servers.
The website KrebsOnSecurity writes that hundreds of millions of Facebook users have their passwords stored on a server searchable by thousands of the media giants employees.
Facebook says to the security website that an ongoing investigation has not provided any indication that the employees have abused their access.
“Just to make it clear, these passwords were never visible to anyone outside of Facebook, and we have not found evidence that any internals has abused or mistakenly accessed them,” Facebook spokesperson, Pedro Canahuati, states.
600 million unencrypted user passwords
Facebook sources indicate that the investigation so far indicates that the passwords of between 200 and 600 million users were stored on the server, which over 20,000 employees had access to.
The storage allegedly has roots back to 2012. According to KrebsOnSecurity, Facebook’s engineers and developers have since made about 9 million searches for data items containing user passwords in plain text.
Facebook does not want to comment on this information except that it has not been found that anyone has searched specifically for passwords so far.
“We have also not found any signs of data abuse,” Facebook developer Scott Renfro tells KrebsOnSecurity.
“Facebook is planning to alert users, but there is no need to change passwords,” according to Renfro.
“No organization, especially a Facebook-sized organization, needs to store users’ passwords in plain text,” Computer Security Expert in Recorded Future, Andrei Barysevich, emphasises.
He can’t remember any similar case where so many passwords have been stored unencrypted.
”The matter is very embarrassing for Facebook,” Security expert and owner of the website haveibeenpwned.com, Troy Hunt believes
“The purely practical consequences are, true enough, small, as long as no outsiders have gained access to the passwords,” he continues.
Hunt reminds that Facebook has previously been subject to hacking. As late as in September, outsiders gained access to 29 million user accounts.
Jake Williams, who runs the computer security company Rendition Infosec, says that storing passwords in unencrypted form is by no means unusual.
“Unfortunately, it is more common than most people in the industry like to talk about,” he says, adding that it happens most often when developers try to clean computer systems of viruses.
© NTB Scanpix / #Norway Today