Facebook Stored Millions Of User Passwords In Plain, Readable Text
By Sasha Ingber
3 - 4 minutes
Unknown to hundreds of millions of Facebook users, their passwords were sitting in plain text inside the company's data storage, leaving them vulnerable to potential employee misuse and cyberattack for years.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," Facebook's Vice President for Engineering, Security and Privacy Pedro Canahuati said in a statement Thursday.
Staff made the discovery in January, during a routine security check, he said.
The company plans to notify hundreds of millions of Facebook Lite users, in areas with scant connectivity, as well as tens of millions of other Facebook users and tens of thousands of Instagram users.
"My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords," blogger Brian Krebs stated.
The archives date back to 2012, according to the report.
Thursday's disclosure is the latest in a slew of controversies. In 2018, the world learned that political consulting firm Cambridge Analytica harvested information on millions of Facebook users. Later that year, Facebook announced a massive security breach affecting nearly 50 million accounts.
"This is a company that goes from crisis to crisis," Jeff Chester, executive director of the Center for Digital Democracy, tells NPR.
He says it's part of a pattern. "Although Facebook is not alone, the problem is that the focus has been on turning all this data into revenue to help advertisers and not enough has been done to help data security."
Last month, British lawmakers likened Facebook to "digital gangsters" who shunned accountability as disinformation spread like wildfire on social media.
Federal prosecutors are currently conducting a criminal investigation into arrangements Facebook made with Amazon, Apple and other tech giants, according to the New York Times. The partnership may have enabled the companies to access troves of user data without consent, at times without consent.
Chester says news of the password storage insecurity could add fuel to a flame burning in Washington among lawmakers pushing for regulations on big tech companies. "This makes the case for Congress passing privacy legislation and toughening up cybersecurity laws as well," Chester says.
Facebook insists privacy is its top priority.
"There is nothing more important to us," Canahuati said, "than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook."
Note: Facebook is among NPR's financial supporters.