Menlo Park-headquartered social media giant Facebook has said that as part of a routine security review in January 2019, it found that some user passwords were being stored in a readable format within its internal data storage systems. However, the company has now fixed the issue and said it will be notifying the affected users.
The development comes after cybersecurity reporter Brian Krebs reported the breach, saying that the bug dated back to 2012. Even though the company has not officially given any number of users affected, Krebs report said the investigation so far indicates between 200 Mn and 600 Mn Facebook users may have had their account passwords stored in plain text and searchable by more than 20K Facebook employees.
The company said that it has found “no evidence to date that anyone internally abused or improperly accessed them,” but said it will notify “hundreds of millions of Facebook Lite users,” a lighter version of Facebook for users where internet speeds are slow and bandwidth is expensive, and “tens of millions of other Facebook users.”
The company also said “tens of thousands of Instagram users” will be notified of the exposure.
“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we discovered them,” the company said.
Facebook also explained how it stores users’ passwords: “In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.”
At the same time, Krebs report said that some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
This is not the first time, social media players have faced data concerns with users’ passwords. Earlier, Twitter and GitHub were hit by similar but independent bugs, but passwords were stored in plaintext and not scrambled.
Facebook has been at the centre of data breach scandals over the last year and concerns of users as well as the government. The company has reportedly admitted the breach to European Union agencies under the GDPR compliance rules. But it remains to be seen if Indian government summons the company again, seeking Indian users’ statistics or Facebook gets out of the scandal unscathed again.