Facebook has admitted that millions of user passwords were readable by its employees for years, after being stored in plain text on its internal servers, violating fundamental computer security practices.
Pedro Canahuati, the company’s vice president of engineering, security, and privacy, said on Thursday that the blunder was uncovered during a routine security review in January.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati said in a blog post.
But thousands of employees could have searched them.
The news comes after a series of controversies centred on whether Facebook properly safeguards the privacy and data of its more than 2.2 billion worldwide users.
Canahuati said that the company expected to notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users whose passwords may have been vulnerable to prying eyes.
Facebook Lite is a version designed for people with older phones or low-speed internet connections. It is used primarily in developing countries.
“We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” Canahuati said.
Plain text files
Brian Krebs, of security news website KrebsOnSecurity.com, cited an unnamed Facebook source as saying the internal investigation had so far indicated that the account passwords of as many as 600 million users of the social network were stored in plain text files searchable by more than 20,000 employees.
The exact number had yet to be determined, but archives with unencrypted user passwords were found dating back to the year 2012, according to Krebs.
Facebook Lite was introduced in 2015, the company purchased Instagram in 2012.
Facebook’s admission of the faux pas came after the report by Krebs.
Facebook’s practice is to mask people’s passwords by replacing them with random characters and then tucking away software keys needed to make sense of the jumble, according to Canahuati.
The technique allows Facebook’s system to recognise valid passwords when users log in, without storing the information in plain text that employees or hackers could read.
“There is no valid reason why anyone in an organisation, especially the size of Facebook, needs to have access to users’ passwords in plain text,” said cybersecurity expert Andrei Barysevich of Recorded Future.
The problem, according to Facebook, wasn’t due to a single bug. During a routine review, it says, it found that the plain text passwords were unintentionally captured and stored in its internal storage systems.
This happened in a variety of circumstances – for example, when an app crashed and the resulting crash log included a captured password.
Facebook said that social network users could harden security by updating to complex passwords and opting to require a second piece of data such as a texted code to access accounts.
Facebook reaches an estimated 2.7 billion people with its core social network, Instagram and messaging applications.