For Years, Hundreds of Millions of Facebook Users Had Their Account Passwords Stored in Plain Text and Searchable By Thousands of Facebook Employees

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees -- in some cases going back to 2012, KrebsOnSecurity reported Thursday. From the report: Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing the causes of a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press. The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012. Facebook has responded.

Re:Hey look

[bill_mcgonigle]

Why is this still a company and not been shut down.

Most people don't care about their online privacy unless it's nudie pics. Seems strange to most of us here. They think we're strange.

cf. Snowden revelations going over like a lead balloon.

Didn't we already know this?

[Cajun+Hell]

People who actually see their spam (i.e. don't have fully automated filtering) have known that Facebook stores plaintext passwords, and that their database has been stolen, for quite some time.

I get about 10-20 (it varies) of the "I infected you with malware when you were jacking off to porn and recorded you jacking off" spams per day, where the spammer tells you an actual password that you used (for credibility when they claim they've compromised your machine), along with the email address that goes with that password. Among those, it's not unusual to see the address and the password that I had used for Facebook. Of course, there are plenty of others (I use a different email address and password for each website) but Facebook is definitely one of them.

For several months, I'm pretty sure it's been widely known by most email users (or at least the ones who occasionally glance at their spam) that Facebook got caught with their pants down.

(Or if not all email users who look at their spam knew this, at least it's the subset of us who always remember to install a user-facing camera and also install malware, whenever we're jacking off to porn. Maybe I should stop doing that.)

Re:Hey look

[cjjjer]

And a couple of years ago Twitter was storing user passwords in plain text in a log during authentication requests. The number of times I have worked on brownfield projects where the passwords are stored plain text it almost seem like it is the norm. People would be surprised on how often it happens.

Former FB guy here

You won't want to know half the shit that happens behind the scenes. Before FB, Zuck had a web page to compare girls to monkeys or dogs or whatever. That culture still exist in FB. I know one group that used AI to find hot girls, scan their messages for turn ons, then try to get some strange. I think there was a monthly prize for the best fuck. Goes without saying the they ran image recognition to find tits and ass (and cock). There was a big FB porn library for "research purposes".