Facebook Stored Millions (Billions?) of Passwords Unencrypted for Years
Seems like Facebook can’t catch a break. Whether it is Cambridge Analytica or one of the many other scandals plaguing the company, it seems like the only news coverage they get is bad coverage.
This time it is information that Facebook logged users’ passwords in plain text for anyone to read, stored those logs on internal company servers and gave access to that data to tens of thousands of employees.
Other than that Mrs. Lincoln, how was the play tonight?
The internal investigation, which began in January and is still ongoing, discovered that 2,000 employees made 9 million queries for data elements that contained plain text user passwords.
Facebook says that the passwords were logged in plain text “inadvertently”. Possibly, but since protecting passwords is like programming 101 or maybe even programming 001, how could that be?
Facebook now says that they plan to tell people that their passwords were exposed. Sometime. They did post an announcement of the situation, here.
Facebook says that they will need to notify hundreds of millions of Facebook light users (light is the version that is used in the places where bandwidth is at a premium), tens of millions of other Facebook users and tens of thousands of Instagram users.
So what should you do?
I would recommend changing your Facebook password no matter whether you receive notice from them or not.
If you use the same password on any other web sites, change those passwords too.
Enable two factor authentication on the Facebook web site. This is very simple to do and provides a lot of extra protection.
Review what third party apps you have given permission to access your Facebook data.
If you were sharing passwords between web sites, this is perfect reason not to do that. Using a password manager makes it a lot easier to use unique passwords.
Facebook supports using an authenticator app such as Authy or Google Authenticator as the second factor rather than text messages. It APPEARS that if you have a phone number associated with your account, they insist on allowing you to use that in an emergency. Which means a hacker can declare an emergency. Remove your phone number from your account to solve that problem. Probably a good idea anyway.
Information for this post came from Brian Krebs.