Facebook Stored Hundreds of Millions of Passwords in Plain Text

Today, cybersecurity blog KrebsonSecurity revealed Facebook stored hundreds of millions of users’ passwords in plain text. The social media giant came under fire recently for numerous cybersecurity and privacy issues. The Facebook Password Problem is just the latest scandal.   

According to Krebs, Facebook administrators put no encryption on the users’ passwords. Up to 20,000 Facebook employees could search through the plain text at will. Moreover, around 2,000 programmers and developers performed searches through the unhashed passwords. KrebsonSecurity stated the number of individuals affected numbered between 200 million and 600 million.

According to an official blog post by Facebook, they discovered the flaw in January during a regular security review and have since closed the vulnerability. Facebook did not confirm either the number of users affected or the number of employees with access to the plain text passwords.

Instead, the social media giant announced plans to alert all affected individuals. Additionally, Facebook stressed no one outside the company accessed the platform nor did anyone abuse the exposed passwords; users should not need to change their passwords, although they certainly can if they desire.

Best Practices From the Facebook Password Problem

We’ve written extensively on what enterprises can do to improve their password security. However, we wanted to turn it over to Stephen Cox, Chief Security Architect of SecureAuth; he summarizes the best practices takeaways from the Facebook Password Problem succinctly:

“The discovery is just another indication that our continued reliance on passwords is not sustainable and fails consumers. Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape. Not only are many organizations using poor hygiene when storing passwords, but a large portion of these passwords are also already widely available on the dark web due to previous massive breaches. The reality is that people reuse passwords across multiple websites and password leaks can have far-reaching consequences.

With the trend of password leakage and the resulting credential misuse on the rise, organizations must evolve and adopt modern approaches to identity security, one that improves security posture but takes care to keep the user experience simple. We need to move beyond the password, and basic two-factor authentication methods, to modern adaptive risk-based approaches that leverage real-time metadata and threat detection techniques to improve end-user trust. The goal should be rendering stolen credentials useless to an attacker.”

Thank you to Stephen Cox of SecureAuth for his time and expertise!