AP

Facebook left millions of passwords readable by employees

Mar 21, 2019, 6:08 PM | Updated: 6:09 pm

FILE- In this Aug. 21, 2018, file photo a Facebook start page is shown on a smartphone in Surfside,...

FILE- In this Aug. 21, 2018, file photo a Facebook start page is shown on a smartphone in Surfside, Fla. (AP Photo/Wilfredo Lee, File)

(AP Photo/Wilfredo Lee, File)

SAN FRANCISCO (AP) — Facebook left hundreds of millions of user passwords readable by its employees for years, the company acknowledged Thursday after a security researcher exposed the lapse .

By storing passwords in readable plain text, Facebook violated fundamental computer-security practices. Those call for organizations and websites to save passwords in a scrambled form that makes it almost impossible to recover the original text.

“There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users’ passwords in plain text,” said cybersecurity expert Andrei Barysevich of Recorded Future.

Facebook said there is no evidence its employees abused access to this data. But thousands of employees could have searched them. The company said the passwords were stored on internal company servers, where no outsiders could access them. Even so, some privacy experts suggested that users change their Facebook passwords.

The incident reveals yet another huge and basic oversight at a company that insists it is a responsible guardian for the personal data of its 2.3 billion users worldwide.

The security blog KrebsOnSecurity said Facebook may have left the passwords of some 600 million Facebook users vulnerable. In a blog post , Facebook said it will likely notify “hundreds of millions” of Facebook Lite users, millions of Facebook users and tens of thousands of Instagram users that their passwords were stored in plain text.

Facebook Lite is a version designed for people with older phones or low-speed internet connections. It is used primarily in developing countries.

Last week, Facebook CEO Mark Zuckerberg touted a new ”privacy-focused vision ” for the social network that would emphasize private communication over public sharing. The company wants to encourage small groups of people to carry on encrypted conversations that neither Facebook nor any other outsider can read.

The fact that the company couldn’t manage to do something as simple as encrypting passwords, however, raises questions about its ability to manage more complex encryption issues — such in messaging — flawlessly.

Facebook said it discovered the problem in January. But security researcher Brian Krebs wrote that in some cases the passwords had been stored in plain text since 2012. Facebook Lite launched in 2015 and Facebook bought Instagram in 2012.

The problem, according to Facebook, wasn’t due to a single bug. During a routine review in January, it say, it found that the plain text passwords were unintentionally captured and stored in its internal storage systems. This happened in a variety of circumstances — for example, when an app crashed and the resulting crash log included a captured password.

But Alex Holden, the founder of Hold Security, said Facebook’s explanation is not an excuse for sloppy security practices that allowed so many passwords to be exposed internally.

Recorded Future’s Barysevich said he could not recall any major company caught leaving so many passwords exposed. He said he’s seen a number of instances where much smaller organizations made such information readily available — not just to programmers but also to customer support teams.

Security analyst Troy Hunt, who runs the “haveibeenpwned.com” data breach website , said the situation may be embarrassing for Facebook but not dangerous unless an adversary gained access to the passwords. Facebook has had major breaches, most recently in September when attackers accessed some 29 million accounts .

Jake Williams, president of Rendition Infosec, said storing passwords in plain text is “unfortunately more common than most of the industry talks about” and tends to happen when developers are trying to rid a system of bugs.

He said the Facebook blog post suggests storing passwords in plain text may have been “a sanctioned practice,” although he said it’s also possible a “rogue development team” was to blame.

Hunt and Krebs both likened Facebook’s failure to similar stumbles last year on a far smaller scale at Twitter and GitHub; the latter is a site where developers store code and track projects. In those cases, software bugs were blamed for accidentally storing plaintext passwords in internal logs.

Facebook’s normal procedure for passwords is to store them encoded, the company noted Thursday in its blog post.

That’s good to know, although Facebook engineers apparently added code that defeated the safeguard, said security researcher Rob Graham. “They have all the proper locks on the doors, but somebody left the window open,” he said.

___

Bajak reported from Boston.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

We want to hear from you.

Have a story idea or tip? Send it to the KSL NewsRadio team here.

Today’s Top Stories

AP

close up of a peleton bike pictured, a recall has been issued for some...

Associated Press

Peloton recalling more than 2M exercise bikes because the seat post assembly can break during use

The recall includes approximately 2.2 million of the Peloton Bikes Model PL01. The bikes were sold from January 2018 through May 2023 for about $1,400.

11 months ago

Immigration Asylum Family Reunification Explainer....

JULIE WATSON Associated Press

US will let in at least 100,000 Latin Americans to reunite with families

President Joe Biden's administration has promised to offer more legal options for Latin American migrants to come to the United States to be reunited with their families.

11 months ago

two border patrol agents pictured, agents are dealing with a surge as title 42 reaches its expirati...

Associated Press

Title 42 has ended. Here’s what it did, and how US immigration policy is changing

The end of Title 42's use has raised questions about what will happen with migration preparing for an increase in migrants.

11 months ago

Rumman Chowdhury is pictured, she is the coordinator for the mass AI hacking exercise...

Associated Press

Hackers aim to find flaws in AI – with White House help

No sooner did ChatGPT get unleashed than hackers started “jailbreaking” the artificial intelligence chatbot – trying to override its safeguards so it could blurt out something unhinged or obscene. But now its maker, OpenAI, and other major AI providers such as Google and Microsoft, are coordinating with the Biden administration to let thousands of hackers […]

11 months ago

Parents of Ema Kobiljski, 13, mourn during the funeral procession at the central cemetery in Belgra...

JOVANA GEC Associated Press

Burials held in Serbia for some victims of mass shootings

Funerals are taking place in Serbia for some of the victims of two mass shootings that happened in just two days, leaving 17 people dead and 21 wounded, many of them children.

11 months ago

interest rate...

DAVID McHUGH AP Business Writer

Europe’s inflation inches up ahead of interest rate decision

Europe's painful inflation has inched higher, extending the squeeze on households and keeping pressure on the European Central Bank to unleash what could be another large interest rate increase.

11 months ago

Sponsored Articles

close up of rose marvel saliva blooms in purple...

Shannon Cavalero

Drought Tolerant Perennials for Utah

The best drought tolerant plants for Utah can handle high elevations, alkaline soils, excessive exposure to wind, and use of secondary water.

Group of cheerful team members high fiving each other...

Visit Bear Lake

How To Plan a Business Retreat in Bear Lake This Spring

Are you wondering how to plan a business retreat this spring? Read our sample itinerary to plan a team getaway to Bear Lake.

Cheerful young woman writing an assignment while sitting at desk between two classmates during clas...

BYU EMBA at the Marriott School of Business

Hear it Firsthand: 6 Students Share Their Executive MBA Experience at BYU’s Marriott School of Business

The Executive MBA program at BYU offers great opportunities. Hear experiences straight from students enrolled in the program.

Skier being towed by a rider on a horse. Skijoring....

Bear Lake Convention and Visitors Bureau

Looking for a New Winter Activity? Try Skijoring in Bear Lake

Skijoring is when someone on skis is pulled by a horse, dog, animal, or motor vehicle. The driver leads the skiers through an obstacle course over jumps, hoops, and gates.

Banner with Cervical Cancer Awareness Realistic Ribbon...

Intermountain Health

Five Common Causes of Cervical Cancer – and What You Can Do to Lower Your Risk

January is National Cervical Cancer Awareness month and cancer experts at Intermountain Health are working to educate women about cervical cancer.

Kid holding a cisco fish at winterfest...

Bear Lake Convention and Visitors Bureau

Get Ready for Fun at the 2023 Bear Lake Monster Winterfest

The Bear Lake Monster Winterfest is an annual weekend event jam-packed full of fun activities the whole family can enjoy.

Facebook left millions of passwords readable by employees