from the deep-seated-insecurities-and-paranoia dept.
Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee [ . . . . ]
My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords. [ . . . . ]
Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people
[ . . . . ] the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.
If I had a Facebook account, I would be reassured by Facebook's reassuring reassurances.
(Score: 3, Funny) by JakeLight on Friday March 22, @02:29PM (9 children)
Phew...that was a close one! Thank goodness they didn't abuse that data!!
(Score: 2) by Runaway1956 on Friday March 22, @02:35PM
I am also reassured, LOL!
Have you hugged your
presidentugly dog today?
(Score: 2) by DannyB on Friday March 22, @02:39PM (7 children)
Facebook employees did not abuse any data. Or any squirrels.
ALL LIABILITY IS EXPRESSLY DISCLAIMED FOR PERSONAL INJURY OR DEATH THAT RESULTS FROM READING THE SOURCE CODE.
(Score: 3, Touché) by Booga1 on Friday March 22, @02:44PM (2 children)
The squirrels are probably pretty safe.
It's the llamas that had to be worried, at least over at AOL's Winamp department.
Radionomy bought Winamp but it remains to be seen how they'll treat the llamas.
(Score: 3, Funny) by looorg on Friday March 22, @03:48PM (1 child)
I would assuming there will be some kind of spanking of the buttocks area involved for the llamas.
(Score: 2) by cmdrklarg on Friday March 22, @03:54PM
That was Winamp's job.
THE SOFTWARE, IT NO WORKY!
(Score: 1, Funny) by Anonymous Coward on Friday March 22, @02:47PM (3 children)
Once you make the all-important distinction between (epistemic) data space state and (ontic) configuration or phase space state in (applied) non-classical cryptographic analysis, then do you stand by your words?
(Score: 0) by Anonymous Coward on Friday March 22, @03:04PM
Um ... let me get my decoder ring and figure out what you just asked. In the mean time, would you like to keep yourself busy by accessing our user data via this "secure" (wink wink) API?
(Score: 0) by Anonymous Coward on Friday March 22, @03:10PM
That's what she said.
(Score: 2) by DannyB on Friday March 22, @03:30PM
Let me run that through my genetic adversarial monte carlo generative quantum deep neural network Bayesian filter simulation algorithm. Then I'll get back to you with an answer.
ALL LIABILITY IS EXPRESSLY DISCLAIMED FOR PERSONAL INJURY OR DEATH THAT RESULTS FROM READING THE SOURCE CODE.
(Score: 3, Touché) by Snow on Friday March 22, @03:01PM
Shocked I tell ya! Facebook has always been at the forefront of user data security and privacy. I can't believe that they didn't properly protect private user data.
FAKE NEWS!
(Score: 1, Troll) by realDonaldTrump on Friday March 22, @03:05PM
Facebook, if you're listening, I thank you. Christopher Wray, my top G-man, thanks you. And the American "people" thank you. The only responsible encryption is NO encryption. No more San Bernardinoes!!!!
🇺🇸KEEPING PROMISES. BUILDING BARRIER(WALL). PUTTING AMERICA FIRST! #TRUMP2020🇺🇸
(Score: 2) by Freeman on Friday March 22, @03:10PM (4 children)
Not storing your users' passwords in plain-text is what I would call very basic security practice. It could almost be forgiven, if this happened near the beginning, and fixed later. As opposed to just extremely poor customer privacy standards. Of course, considering, they're selling your data anyway, it's more like par for the course.
"I said in my haste, All men are liars." Psalm 116:11
(Score: 2) by Runaway1956 on Friday March 22, @03:23PM (1 child)
Well, you have a word out of place there, it seems. Facebook values your privacy, and mine, but not NEARLY as much as they value their CUSTOMER's privacy!! We both know who their primary, secondary, and tertiary customers are, right? 1. US/5eyes intel communities 2. corporations with deep pockets 3. corporations and governments with less deep pockets. Joe and Jane Sixpack and their stick figure families of fifteen kids and a poodle are PRODUCTS.
http://66.media.tumblr.com/4c40c4673c59f19a613067631aa5cc01/tumblr_mzaqpgXs3J1qznswqo1_1280.jpg [tumblr.com]
Have you hugged your
presidentugly dog today?
(Score: 2) by Runaway1956 on Friday March 22, @03:35PM
Forget the tumblr link - unfortunate stick figure family is much more fun! I may put them all together, and loop them for entertainment! https://www.youtube.com/results?search_query=unfortunate+stick+figure+family [youtube.com]
Have you hugged your
presidentugly dog today?
(Score: 2) by DannyB on Friday March 22, @03:39PM
I THINK that Facebook stores passwords in a non-plaintext form. At least that's how I read TFA.
That is why someone had to implement plaintext password logging in some code somewhere to capture the passwords. This was then discovered in the code review.
Once you start massively logging plaintext passwords, then you've completely defeated the purpose of encrypting or hashing passwords. (Hint: hash, don't encrypt. Also hash with salt and pepper)
Next best practice: Once you've hacked the login procedure to store plain text login passwords, then create an API to make them widely available. It won't be abused. I promise!
But the way that I did it in my project was to hash the password in the browser before it ever goes to the server (over TLS). I could always change the code to send the password over TLS to the server where it could be hashed. Any opinions about the tradeoff of hashing the password at the browser vs the server?
ALL LIABILITY IS EXPRESSLY DISCLAIMED FOR PERSONAL INJURY OR DEATH THAT RESULTS FROM READING THE SOURCE CODE.
(Score: 2) by looorg on Friday March 22, @03:50PM
But just imagine how much electricity they save every year by not using encryption and wasting all them CPU-cycles to deal with that. It's for the environment!
(Score: 2) by kazzie on Friday March 22, @03:37PM (1 child)
Have they made any of those? Or was it the usual non-reassuring reassurances?
(Score: 3, Insightful) by DannyB on Friday March 22, @03:48PM
* Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
That is reassuring.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.
That is very reassuring. It almost guarantees that the first statement is NOT so reassuring.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.
Good thing it only went on for a limited amount of time.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
Very reassuring. It assures me that the likelihood of abuse is approximately 100%.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* “The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said.
Not surprising.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
Alter the methodology.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.
Despite that the article's inside source already gave numbers.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* the company planned to alert affected Facebook users, but that no password resets would be required.
Of course not. Resetting passwords would the collected plaintext passwords useless. Someone would have to go re-hack the login procedure to log plaintext passwords and start collecting them all over again!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,”
Just because you don't see it doesn't mean it isn't there. Bad actors try to hide what they do. At least if they know what's good.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this.
How do you know that?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data.”
I find this very reassuring.
ALL LIABILITY IS EXPRESSLY DISCLAIMED FOR PERSONAL INJURY OR DEATH THAT RESULTS FROM READING THE SOURCE CODE.