Facebook has confirmed that a “glitch” in its networks led to the passwords of millions of account holders being open to up to 20,000 employees.
Around 600 million passwords were stored in plain text and unprotected with no encryption, according to Brian Krebs, in an exposure that the security researcher believes may reach back to 2012.
In reaction to the news, Facebook has said that the error has been amended regarding passwords stored insecurely on its internal servers. Also affected were hundreds of millions of Facebook Lite users – a version of the social network used in nations where mobile data is limited or restricted.
Speaking to Reuters, the company said:
“These passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
Mr Krebs explained that Facebook had revealed “security failures” to him, and that technicians had been allowed to develop apps that stored passwords without security safeguards in place.
In response to Mr Kreb’s report, a fellow Facebook engineer, Scott Renfro said that a probe had been launched after Facebook had found that the logs had not shown up signs of data abuse. Facebook, meanwhile, claims the issue had first been discovered in January during routine security assessments.
Mark Zuckerberg’s company has said it will put a password reset motion in place should teams investigating the incident eventually find misuse of login credentials has taken place.
Speaking to GDPR: Report, Oz Alashe, CEO of the intelligent cyber security awareness platform, CybSafe, said:
“It’s common practice to hash and salt passwords in databases, and this makes it difficult for criminals to crack an entire password database. Hashing masks the original password with different values, and salting ensures that even passwords which are the same are hashed differently.
“The fact that Facebook has failed to carry out these basic activities here is almost certain to be accidental rather than intentional.
“Despite clear negligence, it seems unlikely that GDPR will be applied here. Historically, the ICO has punished businesses which have suffered breaches because of poor password management. However, there is no indication in this instance that a breach has occurred,” he added.
This latest incident is the latest in a long line of security blips that have hampered Facebook since the start of last year, when news broke of its unethical relationship with UK-based data intelligence firm, Cambridge Analytica.
The controversy eventually led to the social network being fined the maximum £500,000 under the Data Protection Act 1998 – the legislation that was in place when the scandal was playing out in the run-up to US election cycles in 2014 and 2016.
In September 2018, news broke of a flaw in Facebook’s security systems that had led to the compromising of 50 million user accounts. The company is currently under no fewer than ten separate investigations by the Irish Data Protection Commission for further data handling discrepancies.