Slashdot Mirror

← Back to Stories (view on slashdot.org)

For Years, Hundreds of Millions of Facebook Users Had Their Account Passwords Stored in Plain Text and Searchable By Thousands of Facebook Employees (krebsonsecurity.com)

Posted by msmash on from the security-woes dept.

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees -- in some cases going back to 2012, KrebsOnSecurity reported Thursday. From the report: Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing the causes of a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press. The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012. Facebook has responded.

18 of 106 comments (clear)

  1. Hey look by DarkRookie2 · · Score: 5, Insightful

    Another story on how Facebook doesn't care about privacy.
    The amount of these is insane. Why is this still a company and not been shut down.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    1. Re:Hey look by bill_mcgonigle · · Score: 3, Interesting

      Why is this still a company and not been shut down.

      Most people don't care about their online privacy unless it's nudie pics. Seems strange to most of us here. They think we're strange.

      cf. Snowden revelations going over like a lead balloon.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Hey look by cjjjer · · Score: 4, Interesting

      And a couple of years ago Twitter was storing user passwords in plain text in a log during authentication requests. The number of times I have worked on brownfield projects where the passwords are stored plain text it almost seem like it is the norm. People would be surprised on how often it happens.

    3. Re: Hey look by DickBreath · · Score: 2

      I do hope Facebook corrects this and requires everyone to delete their Facebook accounts.

      --

      I'll see your senator, and I'll raise you two judges.
    4. Re:Hey look by AHuxley · · Score: 2

      Social media cares about ads. Ads are the customers.

      --
      Domestic spying is now "Benign Information Gathering"
  2. Lies by phantomfive · · Score: 3, Informative

    Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

    The CEO himself admitted to using this data to hack users' email.

    The incompetence of these people is astonishing.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Lies by Anonymous Coward · · Score: 4, Insightful

      The incompetence of these people is astonishing.

      Is it incompetence, or a culture of entitled assholes?

      So far, my take on Facebook is it's led by a self-entitled asshole, and that probably permeates the entire company ... we're Facebook, so fuck you, we'll do whatever we want.

      This is a company which tracks you on almost every website unless you block them. Fuck that, I've blocked any of their domains and Zuckerfuck can kiss my ass and then fuck off.

      Everything about Facebook says it is ran by assholes, and by extension staffed by assholes.

      I'm not giving them a pass on incompetence, I think they're pretty much a malicious entity who feels they have the right to any of your data with or without your consent.

    2. Re:Lies by DarkOx · · Score: 2

      The CEO himself admitted to using this data to hack users' email.

      Really to bad the Computer Fraud and Abuse Act only has a 2 year statue of limitation for that soft of thing. Would have been hilarious to send Zuck to the pokey.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    3. Re:Lies by burtosis · · Score: 2, Informative

      Is it incompetence, or a culture of entitled assholes?

      I'm pretty sure it's both with some machiavellian criminality as an emulsifier. It's a popular recipe for success.

  3. Old Habits Die Hard... by mizkitty · · Score: 3, Informative

    When he was Harvard, Zuckerborg went thru his classmates email accounts using their Facebook passwords. He knew that most users would reuse the same passwords for all of their accounts.

  4. Didn't we already know this? by Cajun+Hell · · Score: 4, Interesting

    People who actually see their spam (i.e. don't have fully automated filtering) have known that Facebook stores plaintext passwords, and that their database has been stolen, for quite some time.

    I get about 10-20 (it varies) of the "I infected you with malware when you were jacking off to porn and recorded you jacking off" spams per day, where the spammer tells you an actual password that you used (for credibility when they claim they've compromised your machine), along with the email address that goes with that password. Among those, it's not unusual to see the address and the password that I had used for Facebook. Of course, there are plenty of others (I use a different email address and password for each website) but Facebook is definitely one of them.

    For several months, I'm pretty sure it's been widely known by most email users (or at least the ones who occasionally glance at their spam) that Facebook got caught with their pants down.

    (Or if not all email users who look at their spam knew this, at least it's the subset of us who always remember to install a user-facing camera and also install malware, whenever we're jacking off to porn. Maybe I should stop doing that.)

    --
    "Believe me!" -- Donald Trump
    1. Re:Didn't we already know this? by Cajun+Hell · · Score: 2

      Easy to say, but have you considered the practical ramifications? If I stop, one strain of malware will gain dominance. It's better to keep installing different malwares over each other, to prevent any of them from getting too powerful. They're already recording video of my most private moments; the last thing I want is for things to get worse.

      --
      "Believe me!" -- Donald Trump
  5. Allow me to comment their response by Opportunist · · Score: 2

    As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.

    Some? Hundreds of millions is some? Talk about understatement. But when you don't take security of your users, pardon, products serious, why worry?

    This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

    Maybe give spamhouse a heads-up, a mass mail that large might trigger a response otherwise...

    To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.

    So nobody but your couple thousands employees saw them and they have all been asked whether they abused them which they responded to with a resounding "no". Sounds legit.

    We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.

    In other words, the blunder mostly affects products we give even less a shit about than the rest of you because they don't generate enough data points to be profitable anyway.

    In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them.

    So ... there are even worse security holes that we didn't even hear about yet? Admitting it proactively just in case someone stumbles upon them in the next couple days so you don't have to issue another "whoopsie, we fucked up" statement?

    There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.

    Because how are we supposed to sell data that anyone can access without paying for it?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Luckily it doesn't matter by Murdoch5 · · Score: 4, Funny

    Since everyone uses a random password that's different for every single site / service, this doesn't matter. If you're dumb enough to share your passwords between sites and services, then you're an idiot.

  7. This is interesting by roc97007 · · Score: 4, Informative

    For the past several weeks I (along with many other people) have been getting these scam emails saying that my password is a certain word and they're obviously logged into my account because they're sending me email from my own email address. (Which is stupid -- sender address has been trivial to spoof since email was invented, and that was neither the password for my email account nor ever the password to log into my workstation.). The spam then threatens to send all my contacts photos from my webcam (I don't have one) of me, um, enjoying myself to pr0n.

    The password they always say they've captured was my very first facebook password. It's rather unique and I recognized it immediately.

    So this pr0n scam... Is it an outsider scooping cleartext passwords and using them for spam, or is it someone at Facebook running a side business? Inquiring minds want to know.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:This is interesting by Nixoloco · · Score: 4, Informative

      These are pretty common these days. It could be facebook, but more likely one of hundreds of other breaches (if you used the same password on another site) when the data gets posted to pastes on the net or "darknet."

      If you're not already doing it, you should check have i been pwned using common usernames/email addresses you've used to see all of the ways your info has been compromised.

      You can sign up to get notified if your info shows up in future breaches.

  8. Former FB guy here by Anonymous Coward · · Score: 3, Interesting

    You won't want to know half the shit that happens behind the scenes. Before FB, Zuck had a web page to compare girls to monkeys or dogs or whatever. That culture still exist in FB. I know one group that used AI to find hot girls, scan their messages for turn ons, then try to get some strange. I think there was a monthly prize for the best fuck. Goes without saying the they ran image recognition to find tits and ass (and cock). There was a big FB porn library for "research purposes".

  9. should never have been available in plaintext by Geoffrey.landis · · Score: 3, Insightful

    The point is, passwords should never have been available in plaintext in the first place.

    What the heck is wrong with them? The techniques for keeping passwords encrypted (or not holding them at all, just the hash) are well known in the business, and have been well known for decades.

    --
    http://www.geoffreylandis.com