Report: Facebook Stored ‘Hundreds of Millions’ of Passwords in Plain Text

Facebook has not been on solid footing for quite some time, and things aren’t looking any better at the moment.

According to a new report from Krebs on Security, Facebook ran into an issue in storing passwords. Specifically, Facebook stored “hundreds of millions” of passwords in plain text. The standard operating procedure for these things is to protect them with encryption, what’s typically known as “hashing”. However, but various errors led to Facebook-branded apps to leave passwords accessible to up to 20,000 company employees.

According to the security team, between 200 million and 600 million Facebook users are affected by the issue. Facebook has since confirmed the problem, and said that it identified the security problem back in January of this year. The social network says it has since fixed the issue altogether, and it will be notifying users that were affected on an individual basis.

“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.”

This is yet another major issue for Facebook, and one that will probably not go over lightly — even if the company is trying to downplay it. In October of last year, for instance, a hacker was able to obtain the personal information of up to 29 million Facebook users, courtesy of log-in tokens. And up to 50 million different accounts were affected by a security issue in September of last year as well.

It’s probably a good time to change your Facebook/Instagram password, just to be on the safe side.

[via Krebs on Security; Facebook]