Published: Thu, March 21, 2019
Electronics | By Kelly Massey

Facebook stored millions of passwords in plain text

Facebook stored millions of passwords in plain text

Facebook stored "hundreds of millions" of account passwords without encryption and viewable as plain text to tens of thousands of company employees, the social media giant confirmed Thursday.

"The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees", KrebsOnSecurity wrote.

Facebook has known about the plain text passwords since January when a review carried out by security engineers noticed the passwords being logged.

Facebook said it will have to notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.

Facebook's password woes come amid a tough month for the social network.

The company did not say why it waited until March to notify users.

Egg Boy to donate money to New Zealand mosque attack victims
The Australian teen dubbed " Egg Boy" has been interviewed and released by police without charge , pending further investigations. Senator Anning said the boy's mother should have slapped him long ago.


Facebook shared information about the security incident soon after it was first reported by Krebs on Security. The company said it hasn't found evidence this access was abused. He said Facebook had "fixed problems as we've discovered them", but the company did not immediately comment on other security mishaps it identified.

"The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds" of affected users, the source said.

Presumably, in response to Krebs' report, Facebook has issued a statement about general password security earlier today, explaining in the abstract that there has been a breach, but without providing the level of detail on the subject included in Krebs' coverage.

"In security terms, we "hash" and "salt" the passwords, including using a function called "scrypt" as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters", it said.

Users' passwords are typically stored in a way that masks the text and makes them unreadable even to employees. Facebook Lite is a version of Facebook created for use in nations where mobile data is unaffordable or unavailable. Before that happens, Facebook has been looking to see which, if any of the passwords have, "signs of abuse" because it's only those users that will need to be told to change their password.

Like this: