March 21, 2019

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people within those organizations, and for far shorter periods of time.

Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

“This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening,” Renfro said. “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data.”

Facebook’s password woes come amid a tough month for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest tech companies.

Earlier in March, Facebook came under fire from security and privacy experts for using phone numbers provided for security reasons — like two-factor authentication — for other things (like marketing, advertising and making users searchable by their phone numbers across the social network’s different platforms).

Update, 11:43 a.m.: Facebook has posted a statement about this incident here.

208 thoughts on “Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

  1. Robin

    Well, I think it is difficult to quit Facebook. We all depend on it for most of the things, especially when you are running some business or you are an influencer. So, I think quitting Facebook is not a good idea. If you want to be secure and want to protect your data then you should choose your password wisely.

    1. Abraham

      The best case in this scenario is that you used a password that you didn’t reuse on any other website. You could have had the best or longest password ever in this case, but if it was stored in plain text it wouldn’t make a difference.

  2. John IL

    I picture Facebook’s security officer sitting in a room alone and nobody bothers to confer. Maybe this person’s brings up these failures, but probably gets ignored. More then likely nobody really cares at Facebook, this goes way back to Zuckerberg’s college days when he started a social network and bragged about his access to users data. Clearly a plan of Facebook all along to collect lot’s of user data for making money from. We should not be surprised and shouldn’t expect Zuckerberg to change because he has a long history on not being concerned.

    1. acorn

      He has outrought said such in so many words years ago and perhaps against last year , along with his team.

    2. Mahhn

      As someone recently shared with me, FB could be the implementation of the CIA project LifeLog.

  3. Earthling

    I agree with many commentators above. Saying that a password change is not required is irresponsible even without a breach of this sort. Change your password on Facebook ASAP. Even if you are not on Facebook, but were at some point in the past, double check your passwords on any other site and change those too if you have suspicion that it may be created with a similar logic. While security conscious folks may create different passwords for different sites, or may regularly change passwords on websites, the rest of the public may have someone who doesn’t.

  4. CyberSecOp

    Wow Facebook has been bad at security for a long time: I feel like every month we learn something bad about Facebook, but their stocks are not affected. It is like we are now immune or come to an acceptance that they will fail at protecting our privacy. other companies get one bad news and their stocks take a dive but not Facebook.

  5. 00000000000124009

    o))) Well hello ANOTHER BREACH GREAT THAT SUCKS. What i suggest is maybe getting into some of your own practiced Encryption OR BUYING A YUBIKEY ( Not yelling at you)

    o))) I use YUBIKEY all the time and it doesn’t happen to me any breaches and my online is more of a battle with the hackers and bullies and password theifs and phone theifs and all those in-between fun. ITS A GREAT Psyche Work out. something physical if im walking or running or exploring new territory.

    o))) also if you want to make it more physical get into exploring NFC Tags.

    o))) The QR Code Way is a little tricky cause involves paper.

    Crypto: 07b654385c3cf16f73ff6441a785e182

  6. Mark

    I thought Facebook hires some good engineers, hard to imagine that only after 2000 people searching do they start to fix this. It should honestly be pretty obvious.

    1. Mike

      They did/do hire good engineers. Your mistake is assuming this was not the behavior that was intended.

  7. Jackie

    I know I had a problem 2 years ago that made me delete my account. First I deactivated it. Then I wanted to change my password, before I decided to delete it. What made me delete it was that I wanted to use a password I had used before. Facebook said that I had already used that one.
    Made me think alot about it, because I always thought passwords were for my eyes only.
    Don’t know if this has anything to do with what’s going on with the employees, I hope not.

    1. Anthony

      A provider preventing you from using an old password doesn’t necessarily mean they’re storing your password in plaintext. Basically it works like this.

      You sign up and create a password. Your password would be sent to the server, hashed, and stored in a database under some field, let’s call it “CurrentPassword”.

      You change your password. The server hashes your new password and checks it against however many old passwords they store. If no matches are found and the password complies with whatever password rules they have, the value in “CurrentPassword” is moved to “OldPassword1” and the new password is hashed and stored in “CurrentPassword”.

  8. moops

    Not scrubbing PID and passwords from a logger is a real rookie mistake though. It is clearer than ever that the company just doesn’t have security on it’s mind when it starts any activity.

  9. Readership1

    Mass market topics produce the most useless comments.

  10. Animeholik

    Cases of this kind happen. It is time to ask what was the specific purpose of this? Why did they keep users’ passwords as plain text?

  11. Sigehelm

    Unfortunately, there’s a lot more sites people use that store passwords in clear-text in the database. The proliferation of scripts, and non-security oriented programmers has increased this dramatically. As difficult as it is, a different password for each site is looking like the way to go.

  12. Sumerce

    I think the passwords have leaked outside of FB.
    I got a successful login from unusual device notification today to my FB account. Had to reset my pwd and so on. I am pretty sure leak is not from elsewhere as use unique complex passwords in each website and sonthis break into my FB account could not have been possible from another site compromission. I also don’t believe too much in the coincidence.

  13. Sarah Spence

    I received a message from facebook telling my password had been one of the many recorded. I do believe what they are telling us in the press release is outer balls. Something else bigger is going on, someone has just leaked the information, now they are trying to cover it up.

  14. freediverx

    Facebook cares only about growth – growth at any cost. Everything else is treated as an obstacle, including privacy and security. It’s becoming clear that Facebook is essentially a global criminal organization.

Comments are closed.