Facebook stored hundreds of millions of user passwords insecurely

Facebook is becoming more famous for not being very good at looking out for its users than it is for being a social network. Although, over the last few years the scandals coming out of Facebook HQ have been much more serious and have had some pretty wide-reaching and devastating consequences, this latest blunder is the stupidest by far.

Hundreds of million of Facebook and Instagram user passwords were stored unencrypted as text on internal servers

A recent Facebook blog post described how a routine security review showed that “some” user passwords were being stored in a readable text format. The post goes on to say that Facebook will be notifying all affected users and it is here that the “some” mentioned earlier magically becomes “hundreds of millions”

In the blog post, Pedro Canahuati who is Facebook’s VP for Engineering, Security, and Privacy writes, “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” If you’re a Facebook Lite user you are exponentially more likely to have had your password stored in this insecure manner at Facebook HQ.

Canahuati does go on to mention, however, that none of the passwords were visible to anybody outside of Facebook and that the company has found no evidence that any Facebook employee has abused or improperly accessed the insecure list of user passwords.

Outside of Facebook, security expert Brian Krebs has also written a blog post on the latest Facebook blunder. According to Krebs, who cites an insider at Facebook, the internal investigation “so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.” The insider goes on to say, “Access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.”

Krebs went on though to point out that the further the investigation progresses the easier Facebook’s legal team feels about the whole situation. It looks increasingly likely that although Facebook is going to have to notify all affected users, no actual password resets will be required.

This doesn’t come close to being one of the most serious scandals to rock Facebook recently. From causing depression to tracking location without permission the scandals just haven’t stopped coming at Facebook for a period of years now. This is symptomatic, however, of a wider malaise at Facebook. The social network just doesn’t seem to care about its users. Not even enough to store their passwords, which protect some of the most intimate parts of their lives, properly and in a secure manner. The social network needs to have a look at itself and start thinking about how it is going to fix itself.