Slashdot Mirror
For Years, Hundreds of Millions of Facebook Users Had Their Account Passwords Stored in Plain Text and Searchable By Thousands of Facebook Employees (krebsonsecurity.com)
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees -- in some cases going back to 2012, KrebsOnSecurity reported Thursday. From the report: Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing the causes of a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press. The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012. Facebook has responded.
Another story on how Facebook doesn't care about privacy.
The amount of these is insane. Why is this still a company and not been shut down.
http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
The CEO himself admitted to using this data to hack users' email.
The incompetence of these people is astonishing.
"First they came for the slanderers and i said nothing."
Yes.
Facebook: "Don't worry, all of our data problems were only used to help Democrats get elected!"
Why does anyone still trust this dumpster fire of a company?
Are the cat pics really worth it?
I think there needs to be school classes or something that teach 'internet defense'.
We're beyond any shadow of a doubt that we cannot trust *any* company with our data. People need to understand to use password managers instead of reusing passwords, not to share the details of their personal lives, etc.
The gov't doesn't seem to care about these privacy abuses and failures, and until that changes, people need to take precautions to defend themselves.
Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
So an entity can go ahead and be incompetent as long as any ongoing investigation has so far found no indication that employees have abused access to this data.?
Is that the issue anyway? FB should be sued. Victims should get some cash.
When he was Harvard, Zuckerborg went thru his classmates email accounts using their Facebook passwords. He knew that most users would reuse the same passwords for all of their accounts.
People who actually see their spam (i.e. don't have fully automated filtering) have known that Facebook stores plaintext passwords, and that their database has been stolen, for quite some time.
I get about 10-20 (it varies) of the "I infected you with malware when you were jacking off to porn and recorded you jacking off" spams per day, where the spammer tells you an actual password that you used (for credibility when they claim they've compromised your machine), along with the email address that goes with that password. Among those, it's not unusual to see the address and the password that I had used for Facebook. Of course, there are plenty of others (I use a different email address and password for each website) but Facebook is definitely one of them.
For several months, I'm pretty sure it's been widely known by most email users (or at least the ones who occasionally glance at their spam) that Facebook got caught with their pants down.
(Or if not all email users who look at their spam knew this, at least it's the subset of us who always remember to install a user-facing camera and also install malware, whenever we're jacking off to porn. Maybe I should stop doing that.)
"Believe me!" -- Donald Trump
Even if no Facebook employee took advantage of this. The incompetence of it existing is not acceptable.
Is not the problem if employees abused the power on those facebook accounts, is that they had the power to get insight on people's behavior on making passwords, they could not compromise the accounts but could have used it or give it to people that might use that as a way to access their bank accounts or other personal information.
It says more about what they want to do, because how hard is to enable hashed passwords? even if they didn't want to slow the servers making security, they should have told their users about that so at least they should know and not use the same password they use on other private services (yes, people still do that because convenience) or their own social security number.
I have never had a Facebook account, and probably never will. I have no problem keeping in touch with friends and family using more old-fashioned techniques.
Also, I don't re-use passwords across sites, for this exact reason. It makes password management a bit of a pain, but I am up to the task.
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.
Some? Hundreds of millions is some? Talk about understatement. But when you don't take security of your users, pardon, products serious, why worry?
This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
Maybe give spamhouse a heads-up, a mass mail that large might trigger a response otherwise...
To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.
So nobody but your couple thousands employees saw them and they have all been asked whether they abused them which they responded to with a resounding "no". Sounds legit.
We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
In other words, the blunder mostly affects products we give even less a shit about than the rest of you because they don't generate enough data points to be profitable anyway.
In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them.
So ... there are even worse security holes that we didn't even hear about yet? Admitting it proactively just in case someone stumbles upon them in the next couple days so you don't have to issue another "whoopsie, we fucked up" statement?
There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.
Because how are we supposed to sell data that anyone can access without paying for it?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Not storing passwords in plaintext is Computer Security 101. Even companies with atrocious security histories like Yahoo and Microsoft don't do that (at least recently). Sure a hacker can eventually break a hashed password, but at least it takes time and resources meaning the users with bad passwords get hacked first. But when passwords are stored in plaintext, tR0b4dOr&3 isn't any safer than PASSWORD123
Support Right To Repair Legislation.
Microsoft seems to be the only client I worked with that doesn't use passwords, and that was like 10 years ago. Even Cisco is probably still using passwords. Can anyone quote any other high tech company that doesn't use passwords anymore?
It's the only way to stop this asshole.
Since everyone uses a random password that's different for every single site / service, this doesn't matter. If you're dumb enough to share your passwords between sites and services, then you're an idiot.
But when passwords are stored in plaintext, tR0b4dOr&3 isn't any safer than PASSWORD123
Actually, when stored in most other way, a simple letter substitution of "trobadors" + number isn't that much safe neither (still a dictionary word, will simply pop up a tiny bit later in the brute force attack, once the brute forcers start to probe a couple of substitutions).
Currently, the only password that are a bit safer are stuff that comes out of your /dev/random ( <- notice absence of "u") optionally piped through something like base64 to convert them into symbols considered acceptable by the website. Things such as :
(an that's not safe anymore, now that I've posted it).
Even your cat walking accross the keyboard isn't safe anymore as computer modeling *is* able recognise cat-patterns, and thus in generative mode should be able to brute force some.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
For the past several weeks I (along with many other people) have been getting these scam emails saying that my password is a certain word and they're obviously logged into my account because they're sending me email from my own email address. (Which is stupid -- sender address has been trivial to spoof since email was invented, and that was neither the password for my email account nor ever the password to log into my workstation.). The spam then threatens to send all my contacts photos from my webcam (I don't have one) of me, um, enjoying myself to pr0n.
The password they always say they've captured was my very first facebook password. It's rather unique and I recognized it immediately.
So this pr0n scam... Is it an outsider scooping cleartext passwords and using them for spam, or is it someone at Facebook running a side business? Inquiring minds want to know.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
You won't want to know half the shit that happens behind the scenes. Before FB, Zuck had a web page to compare girls to monkeys or dogs or whatever. That culture still exist in FB. I know one group that used AI to find hot girls, scan their messages for turn ons, then try to get some strange. I think there was a monthly prize for the best fuck. Goes without saying the they ran image recognition to find tits and ass (and cock). There was a big FB porn library for "research purposes".
Lies? Well, yes, clearly there has been some lying. I can't speak towards whether or not the CEO admitted to using this to hack emails, that I've never heard (is there a reference for this?) but I can tell you there has to be some lying going on.
The clear lie is the claim they didn't know and that they are now "investigating" how this happened. That is so far off just PR spin that it's a blatant lie.
Their login database, for software reasons, has to be one of three methods. It has to be a) store 100% of the passwords as plain-text, b) store 100% of the passwords as hashed, or c) be a hybrid system that allows either a plain-text or a hashed password with a marker for each entry specifying whether that entry is hashed or plain.
Now, they clearly don't have system A or B above by their own admission (they admitted to having 200-600mil plain text passwords but not all passwords were plain text). Which means, they had to have system C - a hybrid. You CAN'T have a hybrid system without code specifically designed for it on both ends (storing the password then authenticating against it later). A system that is capable of storing either plain text or hashed passwords must be able to then differentiate between them when the user logged in and that code didn't just appear out of the ether. You can't accidentally store the password as plain-text and then when the user logs in have the login authentication code hash their login password and successfully check that hash against one stored plain-text.
So their whole "OMFG NW" and "we're checking how this happened" isn't even PR spin. It's a plain-text lie.
never mind, I read the linked article.
Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.
So I am guessing that like where I work, we have some log tables/files where errors or debugging is performed from. And standard practice was not to encrypt prior to any other activity when it came to passwords. yea, ok.
Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
If I had to guess I would assume these are some of the oldest accounts and these people just never changed their passwords. Zuck while still in school probably wanted to read his friends e-mails and figured FB would be a good way to collect their passwords; or maybe he was just ignorant of best practices at the time and stored the passwords clear text because he did not know any better.
Then when people who knew better updated the software rather than just hashing the clear texts they had and updating the records put some logic in to first try a submitted password as clear text a test for match and if that failed hash it and test for match. That way old records would still work and passwords would just get hash as people changed them. Why nobody thought to go a just hash all the clear-texts they had at that point; I don't know just lazy probably.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Comment removed based on user account deletion
Facebook privacy statement "we store your data in safe ways"
Yet again - this isn't true. Passwords in plain text, giving data to others, psychology experiments on your timeline.
Half the crap in those documents is obviously not true. I will continue to provide fake information to them in my profile. I'm as honest as they are.
The point is, passwords should never have been available in plaintext in the first place.
What the heck is wrong with them? The techniques for keeping passwords encrypted (or not holding them at all, just the hash) are well known in the business, and have been well known for decades.
http://www.geoffreylandis.com
Their login database, for software reasons, has to be one of three methods. It has to be a) store 100% of the passwords as plain-text, b) store 100% of the passwords as hashed, or c) be a hybrid system that allows either a plain-text or a hashed password with a marker for each entry specifying whether that entry is hashed or plain.
Or, d) none of the above.
According to the article, there is an interface called "Facebook Lite" that is used for accessing facebook on low-bandwidth connections; it was primarily the Facebook Lite users that had their passwords stored in plain text.
http://www.geoffreylandis.com
You must be a millennial. Pretty sure there's a search box on this site, try using it next time. And editors? You are a sad lot.
Wasn't that at the direction of Zuckerberg's wife --- makes it easier for the hackers with China's Ministry of State Security, after all . . . .
"That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press."
Im sorry, but when did Facebook become the CIA? Every Facebook employee is allowed to speak to the press the same way any citizen of this country is free to speak to the press. Funny isint it? That a company which cares so little about YOUR privacy is really adamant about protecting THEIR privacy.
Or, d) none of the above.
According to the article, there is an interface called "Facebook Lite" that is used for accessing facebook on low-bandwidth connections; it was primarily the Facebook Lite users that had their passwords stored in plain text.
Fair enough, maybe all the users created through that lite interface had their passwords unhashed. But if you read the article, there are tens of millions of regular users too. And you can't tell me that no one who created an account through the lite version never tried to log in the normal way ever. Which means, somewhere the login API had to have global support for determining the difference between a hashed and plain-text password. Someone had to add that. Global support for differentiating between unhashed and hashed passwords on login had to be added on purpose. This cannot be a user creation issue alone.
Morgan, Facebook is the opposite of private. The internet is the opposite of private. I know I cant stop you from thinking that it is or that it should be,,,
The guy who founded the company is known to have said "dumb fucks" about his users. That's how he treats ALL of his users.
https://en.wikiquote.org/wiki/Mark_Zuckerberg
Zuck: Yeah so if you ever need info about anyone at Harvard
Zuck: Just ask
Zuck: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend's Name]: What? How'd you manage that one?
Zuck: People just submitted it.
Zuck: I don't know why.
Zuck: They "trust me"
Zuck: Dumb fucks
Ad needed plain text.
Security services needed plain text.
Domestic spying is now "Benign Information Gathering"
I once signed up for a health insurance company, and when I got my first bill (in the mail, no less), they printed my online account password right on the bill in plain text, for my convenience.
Needless to say, I was not a customer for long.
Facebook's official response only came out after this latest lapse was revealed in the press. Just like most of their previous lapses (Cambridge Analytica). In Facebook's response, the claim that no passwords were revealed outside the company. How in the world can they be at all certain of that? All it would take is for an employee or contractor to copy the data to a flash drive and then take that home.
Facebook is inherently dishonest. Zuckerberg needs to go to jail. Dump Facebook.
Facebook users never learn. They're too busy seeking attention and causing drama. facebook is a platform for dumbasses.
Have anyone ever thought that this incident might have been related to the incident a couple weeks ago when FB was outage for many millions of users? Could it be from their investigation shutting down those accounts?
Why are passwords being saved in logs ?
It could be a simple case of logging passwords on the 'lite' login interface prior to hashing them and using the hash to authenticate, couldn't it? In that case it would capture everyone who logged into the lite version, irrespective of where the account originated. I've seen some pretty shocking debug logs in the past.