Facebook Stored Millions of Instagram Passwords in Plain Text:
Facebook says it stored millions of Instagram users’ passwords in plain text, leaving them exposed to people with access to certain internal systems. The security lapse was first reported last month, but at the time, Facebook said it only happened to “tens of thousands of Instagram users,” whereas the number is now being revised up to “millions.” The issue also affected “hundreds of millions of Facebook Lite users” and “tens of millions of other Facebook users.”
Passwords are supposed to be stored in an encrypted format that allows websites to confirm what you’re entering without directly reading it. But as Krebs on Security first reported, various errors seem to have caused Facebook’s systems to log some passwords in plain text since as early as 2012. Facebook noticed the problem in January and said in March that the issue had been resolved.
Who could ever imagine imagine FaceBook treating users' passwords as if it were a game.
Related Stories
Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee [ . . . . ]
My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords. [ . . . . ]
Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people
[ . . . . ] the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.
If I had a Facebook account, I would be reassured by Facebook's reassuring reassurances.
(Score: 0) by Anonymous Coward on Friday April 19 2019, @12:14AM (5 children)
These cretins have some new data related mishap in the news every week. Sooner or later the US government will get off its ass and enforce the consent decree from 2011 and fine them untold billions of dollars. Until then FB will just keep doing what they want.
(Score: 2) by takyon on Friday April 19 2019, @12:26AM (4 children)
It sounds like Facebook just discovered this on their own and it wasn't actually abused. It's a security non-story.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Insightful) by Anonymous Coward on Friday April 19 2019, @12:52AM (2 children)
It is not a non-story. Any time any company, let alone a behemoth tech company, stores passwords in anything other than salted hashes it is an extremely concerning event. How does anyone think it is OK at FB? The people making those decisions are probably making other bad decisions regarding data and security.
Just because FB says no one accessed them doesn't mean that no one accessed them. FB is about as trustworthy as the government, and they continue to misrepresent their practices and their intentions.
(Score: 0) by Anonymous Coward on Friday April 19 2019, @01:11AM (1 child)
They did store the login passwords salted. The problem is that they had another database to store the passwords they secretly captured on the client side and sent home for analysis to ensure you weren't withholding any personal information... these were the ones that were stored as plain text. Simple mistake.
(Score: 0) by Anonymous Coward on Friday April 19 2019, @02:10AM
Simple mistake made by simple people who don't know security and don't give a damn about their users.
(Score: 2) by Snotnose on Friday April 19 2019, @02:25AM
Horseshit. They stored passwords in plaintext. Something which has been a no no for a good 30 years.
Untill people are publicly fired and shamed, and FB fined millions, I'm, well, I'm not gonna hold my breath.
When the dust settled America realized it was saved by a porn star.
(Score: 0) by Anonymous Coward on Friday April 19 2019, @01:27AM (2 children)
No one was surprised.
(Score: 2) by rigrig on Friday April 19 2019, @12:45PM (1 child)
I was a bit surprised actually.
So far pretty much any oops at Facebook has been "Sorry we 'accidentally' abused your privacy even more than we said we would", not actual incompetence.
No one remembers the singer.
(Score: 0) by Anonymous Coward on Friday April 19 2019, @05:23PM
I stand corrected.
Personally, I wasn't surprised at all, because FB has always focused on growth and above all else. This gave rise to their corporate-wide motto "move fast and break things."
In their headlong rush to monetize every single keystroke [dailymail.co.uk] and to suck up as much data as possible, with or without user consent [arstechnica.com], it was inevitable that poor security practices would creep in.
And just because this is the only recent such stupidity, doesn't mean there haven't been others, nor does it mean that there aren't others going on right now.
(Score: 2) by Gaaark on Friday April 19 2019, @02:14AM (1 child)
What da fuck is Facebook Lite?
Facebook for slow people? No, that's Facebook.
FB for idiots? No, that's FB.
Seriously...wdf?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: -1, Troll) by Anonymous Coward on Friday April 19 2019, @11:02AM
Let me google that for you ... on second thoughts, no: google it yourself!
AC
(Score: 0) by Anonymous Coward on Friday April 19 2019, @11:42AM
"We're so really very sorry and make sure this never happens again. And this time (#231) we really mean it!"