Slashdot Mirror

← Back to Stories (view on slashdot.org)

For Years, Hundreds of Millions of Facebook Users Had Their Account Passwords Stored in Plain Text and Searchable By Thousands of Facebook Employees (krebsonsecurity.com)

Posted by msmash on from the security-woes dept.

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees -- in some cases going back to 2012, KrebsOnSecurity reported Thursday. From the report: Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing the causes of a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press. The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012. Facebook has responded.

5 of 106 comments (clear)

  1. Lies by phantomfive · · Score: 3, Informative

    Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

    The CEO himself admitted to using this data to hack users' email.

    The incompetence of these people is astonishing.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Lies by burtosis · · Score: 2, Informative

      Is it incompetence, or a culture of entitled assholes?

      I'm pretty sure it's both with some machiavellian criminality as an emulsifier. It's a popular recipe for success.

  2. Old Habits Die Hard... by mizkitty · · Score: 3, Informative

    When he was Harvard, Zuckerborg went thru his classmates email accounts using their Facebook passwords. He knew that most users would reuse the same passwords for all of their accounts.

  3. This is interesting by roc97007 · · Score: 4, Informative

    For the past several weeks I (along with many other people) have been getting these scam emails saying that my password is a certain word and they're obviously logged into my account because they're sending me email from my own email address. (Which is stupid -- sender address has been trivial to spoof since email was invented, and that was neither the password for my email account nor ever the password to log into my workstation.). The spam then threatens to send all my contacts photos from my webcam (I don't have one) of me, um, enjoying myself to pr0n.

    The password they always say they've captured was my very first facebook password. It's rather unique and I recognized it immediately.

    So this pr0n scam... Is it an outsider scooping cleartext passwords and using them for spam, or is it someone at Facebook running a side business? Inquiring minds want to know.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:This is interesting by Nixoloco · · Score: 4, Informative

      These are pretty common these days. It could be facebook, but more likely one of hundreds of other breaches (if you used the same password on another site) when the data gets posted to pastes on the net or "darknet."

      If you're not already doing it, you should check have i been pwned using common usernames/email addresses you've used to see all of the ways your info has been compromised.

      You can sign up to get notified if your info shows up in future breaches.