Facebook Stored Unprotected Passwords of Hundreds of Millions of Users

Facebook Stored Unprotected Passwords of Hundreds of Millions of Users

Facebook mistakenly stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, the company has admitted.

The mistake, which led to user passwords being kept in Facebook’s internal servers in an insecure way, affects “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, according to the social networking site. Facebook Lite is a version of Facebook created for use in nations where mobile data is unaffordable or unavailable.

In a statement, Facebook’s vice-president for engineering, security and privacy, Pedro Canahuati, said: “We have found no evidence to date that anyone internally abused or improperly accessed” the passwords, which “were never visible to anyone outside of Facebook”. Affected users will be directly notified.

Nonetheless, the risk of misuse was high. According to security reporter Brian Krebs, who cited a “senior Facebook insider”, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords”.

Advertisement

Best practice for password security involves a number of precautions to ensure that, even if the company is hacked, stolen passwords cannot be used. Passwords should be “hashed”, a one-way process which transforms every password into a unique “hash”, and ideally “salted”, ensuring that even two identical passwords produce different hashes. Those are the security practices that Facebook normally takes, and which were overlooked in this case.

Canahuati said Facebook has now fixed this particular issue, as well as some problems the company has discovered in other security features, such as the code by which users log in through other apps.

The information commissioner’s office warns companies: “Do not store passwords in plaintext – make sure you use a suitable hashing algorithm, or another mechanism that offers an equivalent level of protection against an attacker deriving the original password.

“You should also ensure that the architecture around your password system does not allow for any inadvertent leaking of passwords in plaintext.” The guidance refers to the exact sort of error that Facebook admitted to on Thursday.

The ICO has not issued a fine purely for storing passwords in an insecure fashion, although it has cited insecure storage as an aggravating factor when penalising more serious data protection breaches.

#facebook #instagram

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Popular Cyber News

Top Tips to Protect Your Business Against Social Media Mistakes

Top Tips to Protect Your Business Against Social Media Mistakes

11 May, 2019

Don't let social media become the go-to platform for cybercriminals looking to steal sensitive corporate information or ...

Study Shows Extent of Cyber Risk

Study Shows Extent of Cyber Risk

10 May, 2019

A new study shows SMBs face greater security exposure, but large companies still support vulnerable systems as well. ...

How to Secure your Azure Storage accounts

How to Secure your Azure Storage accounts

14 May, 2019

Enterprise data is growing exponentially and becoming more complicated, making it harder to manage, and an even bigger c...

Vodafone is Challenging Huawei Report of Telnet 'Backdoor'

Vodafone is Challenging Huawei Report of Telnet 'Backdoor'

01 May, 2019

Vodafone is challenging a Bloomberg report that security vulnerabilities and backdoors within Huawei networking equipmen...

Malware: Doesn't need to be new to cause serious damage

Malware: Doesn't need to be new to cause serious damage

05 May, 2019

The good news is: The development of new malware exploits has slowed significantly.

Microsoft adds Plug and Play to IoT

Microsoft adds Plug and Play to IoT

03 May, 2019

Microsoft just announced that it wants to add the advantages of Plug and Play, which allows you to plug virtually any pe...

Twitch streamers take action to secure their accounts against hacks

Twitch streamers take action to secure their accounts against hacks

30 April, 2019

Twitch has an account hacking problem.

Over 22 billion IoT devices are out there

Over 22 billion IoT devices are out there

20 May, 2019

Enterprise Internet of Things (IoT) remains the leading segment, accounting for more than half of the market, with mobil...

Lessons learnt from cyber attacks

Lessons learnt from cyber attacks

07 May, 2019

Communication about cyber attacks emerged as another key theme in the panel discussion. The SingHealth data breach under...

Categories

Home Tech Reviews UK

Mobile Tech Reviews UK

×

Sign up to keep in touch!

Be the first to hear th latest Cyber and Tech News straight to your mailbox.

Check out our Privacy Policy & Terms of use
You can unsubscribe from email list at any time