Facebook stored passwords for hundreds of millions of users in plain text, exposing them for years to anyone who had internal access to the files, according to security analysts. User passwords are typically protected with encryption (a process known as hashing), but a string of errors led certain Facebook-branded apps to leave passwords accessible to as many as 20,000 company employees.
Between 200 million and 600 million Facebook users are believed to have been affected, according to the analysts at Krebs Security, who were the first to detect this security flaw. Facebook confirmed the issue in a blog post, titled ‘Keeping Passwords Secure’,”and it said the company identified the problem in January of this year as part of a security review. Facebook says it has fixed the issue and will notify everyone affected. Facebook admitted that the plain text logging started as early as 2012, and that the issue may have impacted “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”. But the company added, “there was no evidence that the plain text passwords were exposed outside of the company or that they were abused internally. As a result, users will not be required to reset their passwords”.
Although there is no evidence of abuse, at least 2,000 Facebook employees searched through the files containing passwords, though it is not clear what their intention was. This is the latest in a string of bad security issues for Facebook. In October, a hacker was able to access personal information from 29 million accounts after stealing login tokens. Before that, hacked private messages from 81,000 users were found to have been put up for sale.