On Thursday (March.21st), following a report from by cyber-security reporter Brian Krebs, Facebook confirmed in a blog post, that it had found a flaw in its system that stored “hundreds of millions” of account passwords in plain text for a number of years.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” said Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy wrote in a statement.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way.”
Canahuati said that no one outside of the company had access to the passwords.
The report comes months later after Krebs said logs were accessible to some 2,000 engineers and developers.
Krebs said that the company has been storing these passwords without securing them since 2012.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” said Canahuati.
“We have found no evidence to date that anyone internally abused or improperly accessed them,” but did not say how the company came to that conclusion.
Facebook said it will notify “hundreds of millions of Facebook Lite users”, a lighter version of Facebook predominately used by people in regions with lower internet connectivity, and “tens of millions of other Facebook users”.
Facebook also said “tens of thousands of Instagram users” will be notified of the exposure.
So far, according to Krebs, between 200m and 600m of Facebook’s 2.7bn users may have had their passwords exposed, but the company has yet to confirm the number of those affected.
The company did not confirm how the bug appeared on their management system.
Storing passwords in plain text is an unsecure way of storing passwords. Companies, like Facebook, use hashing and salted passwords – two ways of further scrambling passwords – to store passwords securely. This allows people who had access to Facebook’s internal data to verify user’s passwords without knowing what it is.
GitHub and Twitter were hit by a similar, but independent, bug last year. Both companies said passwords were stored in plain text and not scrambled.
The bug is the latest security issue at the company, which has been dealing with a number of inquiries and government investigations. It was reported last week that Facebook is facing criminal investigation for a series of controversial data-sharing deals it signed with other major tech companies.