“Hundreds of millions” of account passwords were in plain text for years, confirmed Facebook, following a report by cybersecurity reporter Brian Krebs. The flaw was discovered during a routine security review in January, said Facebook’s Pedro Canahuati. He also said that the passwords weren’t visible to anyone outside Facebook.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” said Canahuati. “We have found no evidence to date that anyone internally abused or improperly accessed them,” he added – without telling how the company reached that conclusion.
However, Krebs argues that the bug existed since 2012 and exposed the data to some 2,000 engineers and developers of Facebook. He also said that at least 600 million users could be affected, which is about one-fifth of the company’s 2.7 billion users. Anyhow, Facebook is yet to confirm the numbers.
Companies like Facebook, Twitter, and other online sites, usually hash and salt passwords (at least, should have). These techniques will not only scramble the original password and store them securely, but it will also allow companies to verify their correctness without even knowing what it is. But it seems, joining the Twitter and GitHub, Facebook has also failed to store the passwords of users in a non-readable format.
Facebook said it will notify “hundreds of millions of Facebook Lite users – [the majorly affected group]” and “tens of millions of other Facebook users.” The company also said “tens of thousands of Instagram users” will be notified of the exposure. The company, however, confirmed that the issue has now been fixed.