On Thursday, March 21, 2019 succeeding a report made by Krebs on Security, Facebook acknowledged that a “bug” in its password management systems allowed hundreds of millions of user passwords for Facebook and Instagram to be stored in plaintext on an internal platform. Translated, this means that Facebook employees could have easily searched for and found them. According to Krebs report, the list of passwords stretched all the way back to 2012.

See Also:

Background

For anyone less than technically savvy, you may now be wondering how passwords are usually stored and secured. Typically, organizations are able to store account passwords securely by scrambling them using a process known as password hashing, before saving them on their servers.

Cybersecurity Definitions:

Password Hashing is a one-way cryptographic transformation on a password, converting it into another string, called a ‘hashed password’. “One-way” refers to the fact that it would be practically impossible to turn the hashed password back into its original form.

By password hashing, even if someone is able to compromise the passwords, they will not be able to read them, and even a computer system would find pronounced difficulty in unscrambling them.

Facebook: In Plaintext

As a social media giant, Facebook would have been well aware that this would be an absolute gold mine for hackers and invests heavily to avoid the potential of a security mishap that could lead to liability losses and worse, an irreversible decline in brand confidence. Regrettably, in the world of cybersecurity, often times all it takes is one slip up to render well intended security investments useless.

“As part of a routine security review in January, we found that some use passwords were being store in readable format within our internal data storage systems. Our login systems are designed to mask passwords using techniques (password hashing) that make them unreadable. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly access them.”

Pedro Canahuati – Vice President of Engineering, Facebook

Facebook is investigating a series of security failures in which employee-built applications had logged unencrypted password data for Facebook users and stored it in plain text on their internal servers.

So far, indications conclude that between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and accessible by more than 20,000 Facebook employees. While Facebook is still trying to determine exactly how many passwords were exposed and for how long, uncovered archives with plain text passwords date back as far as 2012.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data.”

Scott Refro – Software Engineer, Facebook

Scott Renfro, Facebook Software engineer, advises the issue first came to light in January 2019 when security engineers reviewing new code had noticed passwords were being unintentionally logged in plain text. This discovery then prompted the team to set up a small task force to ensure a broad-based review of anywhere else this could have been happening.

Despite Canahuati’s assurance Facebook users that the logging bug has now been corrected, it cannot be ignored that an organization of such a gargantuan scale retained logs that included sensitive data for so long, and further, why they were seemingly unaware of the contents.

Details from Facebook can be found here.

For help choosing a penetration testing company, or further clarification of anything else here, please contact us for more information.