Facebook confirmed Thursday that hundreds of millions of user passwords were being stored in a “readable format” within its servers, accessible to internal Facebook employees. Affected users will be notified, Facebook said, so they can change those passwords.
Interestingly, Facebook downplayed and confirmed the problem in the same post, filed Thursday, after researcher Brian Krebs issued his own report. Facebook’s Pedro Canahuati, vice president of engineering for security and privacy, initially referred to “some” user passwords that were accessible to Facebook employees. A paragraph later, he revealed that “hundreds of millions of Facebook Lite users, millions of Facebook users, and tens of thousands of Instagram users” would be notified.
(Facebook Lite was launched in 2009, initially in the U.S. and India, as a simplified version of Facebook accessible to those without access to high-bandwidth internet services. It has since been pushed to many other countries. The vast majority of U.S. users use the full version of Facebook.)
Facebook said that the issue is an internal one. “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati wrote.
Facebook also discovered issues with how it stored information for things like access tokens, and fixed them. “There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” Canahuati wrote.
Researcher: 20,000 employees had access
Krebs paints a different story. Though Krebs stressed that he had no information that Facebook employees had abused their ability to read user passwords, a source told him that employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
In total, between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees, dating back to 2012, Krebs wrote.
Somewhat oddly, a Facebook engineer named Scott Renfro told Krebs, “What we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this.”
Facebook has already had to deal with scandals that include the aftermath of a terrorist in New Zealand livestreaming his attack on a Christchurch mosque on Facebook Live, and changes made to its advertising policies to prevent discrimination in housing and credit advertising. And those were just the last two days.
What this means to you: Whether there was risk or not, if you’re notified by Facebook that your password may have been seen by Facebook employees, change it. Whether you want to continue to doing business with Facebook is up to you; if you’d like to delete Facebook, disable it, or just limit your account, here’s our guide to do so.