March 21, 2019

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people within those organizations, and for far shorter periods of time.

Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

“This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening,” Renfro said. “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data.”

Facebook’s password woes come amid a tough month for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest tech companies.

Earlier in March, Facebook came under fire from security and privacy experts for using phone numbers provided for security reasons — like two-factor authentication — for other things (like marketing, advertising and making users searchable by their phone numbers across the social network’s different platforms).

Update, 11:43 a.m.: Facebook has posted a statement about this incident here.

208 thoughts on “Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

  1. James D Smith

    Renfro said “…We’re not reviewing any logs we have to see if there has been abuse or other access to that data.”

    Why not?

    1. BrianKrebs Post author

      This was a typo on my part. Should read “We’re now reviewing…” Have fixed, thanks.

  2. John

    That is brilliant. They use that accounts to make high MAU and DAU. Just log in when they need it.

  3. Mike U

    Its good that they are now being a lot more transparent when they do screw up. And seem to sincerely have a desire and be making efforts to change things going forward.

    1. rip

      How do we know they are being more transparent when they do screw up?

      They only admit to basefooking things up when they are caught – and they’ll prevaricate and stall as much as they can along the way. Just look at the CEO’s shifty eyes and you know there’s more basefooking going on.

      1. will

        Transparency that nothing on Facebook is secure, anybody sophisticated who wanted your data could take it, and the Company never followed its own policies, and lied about everything constantly.

    2. brett

      what are you talking about, this is a leek from an anonymous employee.

      1. Paul

        No it’s not, Facebook has made this public in a Newsroom post released today.

        1. Jon Marcus

          Facebook put out that release that only *after* this post went up.

          He’s right.

    3. John

      you’ve gotta be kidding. they described this negligence involving hundreds of millions of users as “some passwords” in a press release titled “Keeping Passwords Secure”

  4. Danny Kellett

    Why would any company even *need* to know/store a plain text password? Genuinely don’t know why and please feel free to reply if you do.

    1. somguy

      The “reason” is because it’s convenient. Full stop.

      Like engineers being able to login directly to the account to double check something. Or logging it to verify it’s transmitted correctly.

      Security wise though, there should NEVER be a reason. Engineers could use a special access permission or something. Hashes could be used in transmission.

      1. Nate

        Anyone embarrassed about saying something in the past can say it wasnt me!

      2. Benjamin

        The thing that is surprising is that given Facebook’s view of itself as a ‘Platform’, not having a shared authentication service across all applications is very, very strange.

    2. Tao king suluman

      Becoze thou do never ever know the future of others mind’s behaviour, do you?

    3. Indrek

      As I interpreted the article, they were not directly storing passwords as plaintext, but logging them as such in some cases.

  5. Roderick BLANTON

    I have tried to get back into my original account and I can’t log back into it could you please help me cause I have been on FACEbook since 2015.

  6. Daniel Brisson

    Pathetic excuses and very shameful!
    Even in old applications like accounting, financial or nonprofit organization softwares using Clipper, Visual Fox Pro, SQL Server or else, we encrypted passwords in databases knowing that it was important.
    What happened with this issue tells a lot about the recent development methods and other flaws we don’t know yet.

  7. vb

    I have to presume they are just as lax with the security questions and responses. Once those are in plain text and copied, it doesn’t matter if the password is changed.

  8. Former FB User

    A Slashdot commenter made a potential connection here – he suggests that FB may have actually lost this database (or a portion of it) as he’s been getting that email/pw pair emailed to him in the recent sextortion (and now CIA) spam campaigns.

    Of course it’s possible that he simply reused that password in multiple places and it was breached elsewhere. But with 20,000 users having access and 2,000 known to have queried it, the opportunity for misuse/loss is rather large …

  9. qubito

    Does it also include accounts that were only used in standalone Messeger?

  10. Scott

    ***Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this.***

    “No actual risk” ? I think maybe he misspoke. There is most definitely an actual RISK. Perhaps, they haven’t found any “actual abuse” or “actual breaches,” but the risk is certainly there

  11. Matt

    Is this viable for a lawsuit, invasion of privacy- Class Action Lawsuit???? Let us all destroy Facebook

    1. Lisa

      Zuckerberg is a severe malignant narcissist like most of the rest of the “leaders” in this country. The new word of the day and year is PATHETIC.
      Dominance and control are what narcissists are after. Our future souls are very highly at stake now.

  12. Richard

    The CEO and founder of Facebook should be jailed for gross negligence .

  13. Emerson

    I just wanted to take a moment to say I thought you wrote a fine article and thank you for your hard work I could give a damn about a typo come on guys lighten up

  14. John Harriger

    Can I sue them.I have been IDTheft victum. Might be 1 reason

    1. Lisa

      How about the notion that employers got into prospective employees sites and then didnt hire based on their surreptitious acts? It seems everyone in the country is suing someone, why not?

  15. Rob

    It has been mentioned before that Facebook were/are using some sort of password-typo tolerance. For example, if your password was “Password” then similar variations such as “pASSWORD” would also be accepted. Or if your password was “PaSSword” then “pAssWORD” would be accepted, etc..

    When we then asked whether that meant Facebook was storing passwords in plain text, we were told no. So now it turns out they’ve been storing plain text passwords after all…

    1. A

      Password could be normalized (say all lowercase) at the source, before encrypting or before comparing with encrypted pwd. No need to store in plain text. Even if you did spell checking, you could do it before encrypting, as long as it is a deterministic process. I don’t think reducing pwd diversity is a good practice though.

  16. JR

    It never ceases to amaze me why plaintext EVEN LEAVES THE CLIENT MACHINE!

    It is trivial to hash a password field using some JavaScript (to a sha or similar) and then send THAT. Granted, it’s technically no more “secure” than transmitting the plaintext and implementing some hashing logic on the other side but it can’t hurt. I’m not advocating for client side hashing in leu of server side hashing. Rather, I’m amazed that BOTH are never even considered / discussed.

    1. Kenji

      I don’t understand how that could work. If the client can authenticate by sending the hash only and not the plain-text, then doesn’t that make the hash in effect an unhashed password?

  17. Keith

    I think that Facebook is an extension of the government to gain information about every one that on that site. They probably financed the entire social network. That’s why they drilled him on Capitol hill……..

    1. Reed

      There were stories years ago that the FBI/NSA was working with Facebook to further the surveillance of their user-base. What better way, right? “Oh, people don’t like us spying on them? Let’s team up with the world’s largest social networking site and force them to without them ever knowing.” I got rid of my social networking accounts years ago and it was the best decision I’ve made in a long time.

      1. John Johnson

        The CIA has a venture capital fund that invests in new technology. It is called In-Q-Tel.

        In-Q-Tel was one of the first investors in Facebook.

  18. Robert

    I have someone who took over my info I can share it to someone that can do something with it

  19. RobertT

    Just figure that anything you transmit to the internet is not secure at all. This includes anything that is on a computer that is ever connected to the internet.
    If you want any semblance of security you must encrypt everything from the very first time you connect to the internet. Passwords must all be long strings of gobbledygook.

  20. Christopher

    An internal investigation with thousands of employees looks like this
    Investigator: “Did you ever access or use user passwords with intent other than improving facebook?”
    Employee: “I didn’t”
    Investigator: “OK. Sign this form and you are free to go.”

  21. Sandra potter

    I have pages open on Facebook I have been trying to close them for 2 years now it seems to me that I forgot my password and now I cannot close those pages and I would like to know why Is Facebook trying to keep all information from the pass Please close those pages Already have a new one

  22. Kathy

    Facebook doesn’t respond when a complaint is filed against hackers. I tried numerous times to get assistance from Facebook to
    Remove Fake Accounts but no help. Not a conscience business

    1. Bill

      The EU might give us some reprieve. They can likely fine Facebook under the terms of the GDPR.

      This is gross negligence, minimally exposing the private information of all FB users to 20,000 employees. And there are no guarantees that an employee didn’t exfiltrate at least some of the credentials.

  23. Count Chocula

    What can we do about this? I mean shouldn’t we be able to file a class action lawsuit for negligence or something.

    1. Fruity Pebbles

      I think it’s too early to tell, though I’m guessing the GDPR and other privacy corporations may find out and work towards slapping a hefty fine on them — we can hope. Though, to be honest, I’m not sure that anything will even come of this.

  24. Doris Porter

    My Facebook information has been hack. They are asking for friendship and it’s not me. I have never sent for a request. Only if someone asks me. I don’t know how I only share what someone has put on Facebook if I like or agree

  25. Mike

    I’ve read “encrypted” far too many times here. Encryption isn’t the big issue here. Yes, you want to encrypt communications across open networks, but passwords shouldn’t be stored in ANY form that can be reversed (plaintext OR encrypted). Usernames, salted hashes, and salts should be the only thing stored. Salt and hash the usernames if you want also. Even with access to the database, techs can’t see passwords if you only store hashes and salts. This way anything stolen still has to be brute forced.

Comments are closed.