Facebook Employees Had Access to Millions of User Passwords Stored in Plain Text

Discussion in 'HardForum Tech News' started by cageymaru, Mar 21, 2019.

  1. cageymaru

    cageymaru [H]ard|News

    Messages:
    19,292
    Joined:
    Apr 10, 2003
    In a new blog post entitled "Keeping Passwords Secure" Facebook VP Engineering, Security and Privacy Pedro Canahuati explains how the social media giant accidentally stored Facebook user's passwords on internal data storage systems in plain text. Pedro explains how "these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users." To keep your account safe, Facebook suggests changing your Facebook and Instagram passwords, pick strong passwords, use a password manager, and enable a security key or two-factor authentication.

    In recent months, Facebook has vowed to clean up its act as it has been accused of sharing user data, one click account takeover bugs, paying minors to harvest their data without parental consent, had its enterprise certificate revoked by Apple, access token hack, Cambridge Analytica, and many more fines and hacks. I would suggest picking a password so long and complex that Facebook employees would get tired from writing it down.

    As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
     
  2. Darunion

    Darunion 2[H]4U

    Messages:
    3,722
    Joined:
    Oct 6, 2010
  3. purple_monster

    purple_monster Limp Gawd

    Messages:
    357
    Joined:
    Jun 1, 2018
    this isnt even that bad compared to what our collective brain has already forgotten, gosh the news moves SO fast:

    https://motherboard.vice.com/en_us/article/bjpqw4/facebook-fires-employee-stalk-women-online
    https://motherboard.vice.com/en_us/article/bjp9zv/facebook-employees-look-at-user-data
    https://www.dailydot.com/debug/facebook-data-stalking-employee/

    im sure anyone with database/api or however facebook is built internally can do whatever they want and find whatever they want with plenty of time before getting caught. how is the inverse not possible?
     
    captaindiptoad likes this.
  4. raz-0

    raz-0 [H]ardness Supreme

    Messages:
    4,489
    Joined:
    Mar 9, 2003
    I see Facebook hired that guy that used to work for Sony.
     
    tetris42, bobdabilder and andrewaggb like this.
  5. bobdabilder

    bobdabilder Limp Gawd

    Messages:
    292
    Joined:
    Oct 7, 2009
  6. Ur_Mom

    Ur_Mom I'm Not Serious

    Messages:
    19,606
    Joined:
    May 15, 2006
    Seriously? I think whoever did that is probably not going to work with anything regarding security. Something so simple, yet they screwed the pooch bad.
     
  7. mothandras

    mothandras n00b

    Messages:
    32
    Joined:
    Jan 8, 2012
    What's Facebook?
     
    Fresch, Jim Kim and mullet like this.
  8. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,440
    Joined:
    Jul 11, 2005
    You can't disprove the credentials weren't abused. Therefore the reasonable thing to assume is they were abused and tell everyone to change their passwords and stop using those passwords anywhere. Did Facebook even do this? I don't think so.

    They are seriously the most negligent corporation currently existing, and they don't even fucking care.

    Shit like this is why people think businesses, executives and such, are above the law, and are not held accountable or punished for their actions and negligence, in the same way the individual citizen is.

    Everyone should be treated 100% equally, no matter how big they are. Until then, we live in a two class society. The too big to fail, and the actual citizens.
     
  9. SvenBent

    SvenBent 2[H]4U

    Messages:
    2,791
    Joined:
    Sep 13, 2008
    these passwords were never visible to anyone outside of Facebook and

    They shouldn;t be visible to facebook to begin with... That just bad IT right there

    Facebook should be penalized for this. 5 bucks per name and 5 bucks per password. paid to the person the info is about.
     
    mynamehere and Jim Kim like this.
  10. RealBeast

    RealBeast Gawd

    Messages:
    648
    Joined:
    Aug 4, 2010
    And they suggest a strong password, like it's a user issue.

    That would helps if FB could do something really crazy, like not keeping passwords in plain text files.

    How strong is strong in plain text? :rolleyes:
     
  11. greenman

    greenman Gawd

    Messages:
    594
    Joined:
    Jul 17, 2007
    Pretty sure even phpfox doesn't store in plain text..
     
  12. Fresch

    Fresch n00b

    Messages:
    41
    Joined:
    Mar 14, 2018
    People are people no matter who they are or where they work. If you are on the internet social media with real information you need to go get your head examined.
     
    maxz01 likes this.
  13. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,987
    Joined:
    Nov 15, 2016

    i work with some who LOVE to keep their end users passwords in excel... because it makes things easier for them..

    :sick::(:mad:
     
    RealBeast likes this.
  14. Oldmodder

    Oldmodder Gawd

    Messages:
    619
    Joined:
    Aug 24, 2018
    I am not much better, i have a little black book wherein i have put usernames and passwords for the past 10 years.


    EDIT: :eek: okay lets say almost 20 years, as the book are a calendar and its from 2001.
     
  15. darckhart

    darckhart Limp Gawd

    Messages:
    237
    Joined:
    Jun 15, 2013
    yea uh why are passwords even collected in plaintext....
     
    SvenBent and joobjoob like this.
  16. Gottfried Leibnizzle

    Gottfried Leibnizzle Limp Gawd

    Messages:
    258
    Joined:
    Apr 29, 2015
    Somebody needs to put an "I" after "FB"...
     
    joobjoob likes this.
  17. joobjoob

    joobjoob Gawd

    Messages:
    544
    Joined:
    Jun 29, 2004
    Vast majority of people I know use the same email and passwords as often as possible.
     
  18. joobjoob

    joobjoob Gawd

    Messages:
    544
    Joined:
    Jun 29, 2004
    Personally I love when passwords are hashed but not salted so all you have to do is copy in a a known hash and you are in.

    Knowing to look for this I was involved in multiple infosec projects at previous employers to change the system before anyone caught on. To say nothing of government agencies where HINC decided to ignore the problem, and just play the normie card of "oh noes we wuz hacked!"
     
  19. Hashiriya415

    Hashiriya415 [H]Lite

    Messages:
    104
    Joined:
    Mar 17, 2019
    I share my FB pass with all my friends. FB means nothing to me.
     
  20. TheOne&OnlyZeke

    TheOne&OnlyZeke 100% Irish

    Messages:
    10,193
    Joined:
    Jul 21, 2000
    When I started my job, the passwords for all IT systems were stored in a password protected Access 2000 database

    This was in a government body.

    Sigh.....
     
  21. YeuEmMaiMai

    YeuEmMaiMai Death Incarnate

    Messages:
    13,894
    Joined:
    Jun 11, 2004
    i wonder how many were

    password
    12345678
    facebook
    administrator
     
  22. MyNameIsAlex

    MyNameIsAlex Limp Gawd

    Messages:
    313
    Joined:
    Mar 10, 2019
    How is this not secure? I do this too, it is in the safe. If the safe is not secure, then well I'm totally screwed anyways, the least of my problems is a Filipino 11 yr old photo shopping genitals on my hardfourm profile
     
    Last edited: Mar 22, 2019
  23. Jagger100

    Jagger100 [H]ardness Supreme

    Messages:
    7,420
    Joined:
    Oct 31, 2004
    Well if they didn't they'd just have 1 or 2 or maybe 3 they recycle everywhere.
     
  24. ZenDragon

    ZenDragon [H]ard|Gawd

    Messages:
    1,700
    Joined:
    Oct 22, 2000
    That is my question... while I am concerned about passwords being in plain text of course, and this particular incident is obviously a huge threat to users. I am more concerned that the encryption used is actually reversible such that they can be decrypted to begin with as that is more of a systemic issue. Passwords should always be stored using non-reversable encryption.
     
  25. IcePickFreak

    IcePickFreak [H]ard|Gawd

    Messages:
    1,082
    Joined:
    Dec 1, 2010
    Probably the head of security at Equifax now. ;)
     
    GoldenTiger, Fresch and Ur_Mom like this.
  26. Nenu

    Nenu [H]ardened

    Messages:
    18,601
    Joined:
    Apr 28, 2007
    There should be a minimum standard of security applied to user data otherwise the site is forcibly taken offline.
    Call it a license that can be revoked when they breach it, along with suitable fines and offline times that are large enough to have an impact.
    If they keep going offline people will migrate away and I will laugh.
     
  27. Darunion

    Darunion 2[H]4U

    Messages:
    3,722
    Joined:
    Oct 6, 2010
    I really hate regulation because in most cases it really is just a money maker. In this I agree, it does go against the whole 'free internet' but I don't know of a solution otherwise. Probably couldn't force someone offline but I could see a certification that would be display on the page and link to a reg number to validate. Maybe it could be easier to teach people not to input into uncertified websites?

    I really wish every single thing did not require an account.
     
  28. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    10,439
    Joined:
    Jul 16, 2008
    That is exactly what this guy is doing :rolleyes:
     
  29. rinaldo00

    rinaldo00 [H]ard|Gawd

    Messages:
    1,418
    Joined:
    Mar 9, 2005
    Facebook is eCancer
     
    RealBeast, Zareek and qb4ever like this.
  30. Zareek

    Zareek Limp Gawd

    Messages:
    191
    Joined:
    Sep 5, 2011
    Wow, what's next for Facebook? How else can they abuse people's trust? I'm not sure anything is left.

    Oh yeah, let's buy one of those cameras with a screen on it so they can see what I do at home and take a look around. Maybe sell that information, I will get to see myself in boxer shorts in an ad for weight loss pills.