Millions of Facebook Passwords Kept in Plain Text for Employees to Access

Perhaps we should all change our Facebook passwords to play it safe, following news that Facebook kept, from as early as 2012, “hundreds of millions” of user account passwords in plain text, making them available to some 20,000 employees, writes KrebsOnSecurity following a tip from a source at Facebook.

According to Brian Krebs, Facebook is looking into a number of application “security failures” that led to the logging and storage of unencrypted password data on the internal network. This glitch may have affected between 200 million and 600 million accounts, but the company is still investigating before it reveals the exact number of exposed passwords, as well as details on the timeframe or employees who may have accessed the data.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source told KrebsOnSecurity. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

The social network says no evidence suggests the data was manipulated or compromised in any way by its employees and doesn’t urge users to reset their passwords.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” said Facebook software engineer Scott Renfro. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

Facebook claims the incident was detected in January and the people most affected so far appear to be Facebook Lite users.

“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company said.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Luana Pascu. Read the original post at: