Facebook Employees Had Access to Millions of User Passwords Stored in Plain Text

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
20,172
In a new blog post entitled "Keeping Passwords Secure" Facebook VP Engineering, Security and Privacy Pedro Canahuati explains how the social media giant accidentally stored Facebook user's passwords on internal data storage systems in plain text. Pedro explains how "these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users." To keep your account safe, Facebook suggests changing your Facebook and Instagram passwords, pick strong passwords, use a password manager, and enable a security key or two-factor authentication.

In recent months, Facebook has vowed to clean up its act as it has been accused of sharing user data, one click account takeover bugs, paying minors to harvest their data without parental consent, had its enterprise certificate revoked by Apple, access token hack, Cambridge Analytica, and many more fines and hacks. I would suggest picking a password so long and complex that Facebook employees would get tired from writing it down.

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
 
Joined
Jun 1, 2018
Messages
691
this isnt even that bad compared to what our collective brain has already forgotten, gosh the news moves SO fast:

https://motherboard.vice.com/en_us/article/bjpqw4/facebook-fires-employee-stalk-women-online
https://motherboard.vice.com/en_us/article/bjp9zv/facebook-employees-look-at-user-data
https://www.dailydot.com/debug/facebook-data-stalking-employee/

im sure anyone with database/api or however facebook is built internally can do whatever they want and find whatever they want with plenty of time before getting caught. how is the inverse not possible?
 

Ur_Mom

Fully [H]
Joined
May 15, 2006
Messages
20,340
Seriously? I think whoever did that is probably not going to work with anything regarding security. Something so simple, yet they screwed the pooch bad.
 

BloodyIron

2[H]4U
Joined
Jul 11, 2005
Messages
3,439
You can't disprove the credentials weren't abused. Therefore the reasonable thing to assume is they were abused and tell everyone to change their passwords and stop using those passwords anywhere. Did Facebook even do this? I don't think so.

They are seriously the most negligent corporation currently existing, and they don't even fucking care.

Shit like this is why people think businesses, executives and such, are above the law, and are not held accountable or punished for their actions and negligence, in the same way the individual citizen is.

Everyone should be treated 100% equally, no matter how big they are. Until then, we live in a two class society. The too big to fail, and the actual citizens.
 

SvenBent

2[H]4U
Joined
Sep 13, 2008
Messages
3,208
these passwords were never visible to anyone outside of Facebook and

They shouldn;t be visible to facebook to begin with... That just bad IT right there

Facebook should be penalized for this. 5 bucks per name and 5 bucks per password. paid to the person the info is about.
 

Fresch

n00b
Joined
Mar 14, 2018
Messages
41
People are people no matter who they are or where they work. If you are on the internet social media with real information you need to go get your head examined.
 

katanaD

[H]ard|Gawd
Joined
Nov 15, 2016
Messages
1,987
And they suggest a strong password, like it's a user issue.

That would helps if FB could do something really crazy, like not keeping passwords in plain text files.

How strong is strong in plain text? :rolleyes:


i work with some who LOVE to keep their end users passwords in excel... because it makes things easier for them..

:sick::(:mad:
 

Oldmodder

Gawd
Joined
Aug 24, 2018
Messages
706
I am not much better, i have a little black book wherein i have put usernames and passwords for the past 10 years.


EDIT: :eek: okay lets say almost 20 years, as the book are a calendar and its from 2001.
 

darckhart

Limp Gawd
Joined
Jun 15, 2013
Messages
238
these passwords were never visible to anyone outside of Facebook and

They shouldn;t be visible to facebook to begin with... That just bad IT right there

Facebook should be penalized for this. 5 bucks per name and 5 bucks per password. paid to the person the info is about.

yea uh why are passwords even collected in plaintext....
 

joobjoob

Gawd
Joined
Jun 29, 2004
Messages
543
Vast majority of people I know use the same email and passwords as often as possible.
 

joobjoob

Gawd
Joined
Jun 29, 2004
Messages
543
Personally I love when passwords are hashed but not salted so all you have to do is copy in a a known hash and you are in.

Knowing to look for this I was involved in multiple infosec projects at previous employers to change the system before anyone caught on. To say nothing of government agencies where HINC decided to ignore the problem, and just play the normie card of "oh noes we wuz hacked!"
 

TheOne&OnlyZeke

100% Irish
Joined
Jul 21, 2000
Messages
10,613
When I started my job, the passwords for all IT systems were stored in a password protected Access 2000 database

This was in a government body.

Sigh.....
 

MyNameIsAlex

Limp Gawd
Joined
Mar 10, 2019
Messages
313
I am not much better, i have a little black book wherein i have put usernames and passwords for the past 10 years.


EDIT: :eek: okay lets say almost 20 years, as the book are a calendar and its from 2001.

How is this not secure? I do this too, it is in the safe. If the safe is not secure, then well I'm totally screwed anyways, the least of my problems is a Filipino 11 yr old photo shopping genitals on my hardfourm profile
 
Last edited:

ZenDragon

[H]ard|Gawd
Joined
Oct 22, 2000
Messages
1,698
yea uh why are passwords even collected in plaintext....

That is my question... while I am concerned about passwords being in plain text of course, and this particular incident is obviously a huge threat to users. I am more concerned that the encryption used is actually reversible such that they can be decrypted to begin with as that is more of a systemic issue. Passwords should always be stored using non-reversable encryption.
 

Nenu

[H]ardened
Joined
Apr 28, 2007
Messages
19,447
There should be a minimum standard of security applied to user data otherwise the site is forcibly taken offline.
Call it a license that can be revoked when they breach it, along with suitable fines and offline times that are large enough to have an impact.
If they keep going offline people will migrate away and I will laugh.
 

Darunion

2[H]4U
Joined
Oct 6, 2010
Messages
4,050
There should be a minimum standard of security applied to user data otherwise the site is forcibly taken offline.
Call it a license that can be revoked when they breach it, along with suitable fines and offline times that are large enough to have an impact.
If they keep going offline people will migrate away and I will laugh.

I really hate regulation because in most cases it really is just a money maker. In this I agree, it does go against the whole 'free internet' but I don't know of a solution otherwise. Probably couldn't force someone offline but I could see a certification that would be display on the page and link to a reg number to validate. Maybe it could be easier to teach people not to input into uncertified websites?

I really wish every single thing did not require an account.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
You can't disprove the credentials weren't abused. Therefore the reasonable thing to assume is they were abused and tell everyone to change their passwords and stop using those passwords anywhere. Did Facebook even do this? I don't think so..

That is exactly what this guy is doing :rolleyes:
 

Zareek

Limp Gawd
Joined
Sep 5, 2011
Messages
191
Wow, what's next for Facebook? How else can they abuse people's trust? I'm not sure anything is left.

Oh yeah, let's buy one of those cameras with a screen on it so they can see what I do at home and take a look around. Maybe sell that information, I will get to see myself in boxer shorts in an ad for weight loss pills.
 
Top