Facebook Password Debacle – How Did This Happen?

*Title image from Wired magazine’s March 2018 cover, via ZDNet’s article

Facebook has categorically mishandled some extremely sensitive information, our passwords, by allowing them to be written to a plain TEXT FILE on a drive on their internal network. This was reported by Brian Krebs yesterday and subsequently acknowledged by Facebook. In this post, I’ll discuss the magnitude of the fact that they were unaware of this for so long (since 2012), what this says about their internal processes, why the little that Facebook has said about it doesn’t add up, and potential consequences for their users. I go on to explain how an engagement with 

IntelliGO may have made this a lot less likely for them.  

How could they not know? 

I cannot understate the shock I experienced to learn that Facebook didn’t know about this problem for so long. To me, this indicates a clear absence of checks, balances, and audits that would’ve made such an occurrence obvious to anybody looking for it. Facebook claims to have discovered this in January of this year in a “routine security review” – which begs the question, how many such “routine” reviews have occurred since 2012 (the earliest instance of the problem according to Krebs’ senior Facebook source), and why didn’t they uncover this grievous error? 

Process Issues Are Requisite for This to Happen 

As some of you are aware, I developed the IntelliGO Platform, so I know a thing or two about software development. The burning question for me is, how do developers have access to production data at all, let alone passwords, in the first place? 

The fact that this was able to be written (Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by Adam Mansour. Read the original post at: https://www.intelligonetworks.com/blog/facebook-password-debacle