Yesterday, Facebook disclosed that it had again slipped up on privacy and security, even as it continues to face enquiry over last year's Cambridge Analytica scandal. "As part of a routine security review in January, we found that some user passwords were being stored in a readable format [plain text] within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable," Vice President of Engineering, Security, and Privacy Pedro Canahuati said in a blog post on Thursday.
While he maintained that "these passwords were never visible to anyone outside of Facebook" - there is apparently no evidence suggesting that they had been "improperly accessed" or abused - the worrying part is that the glitch had left users exposed for up to seven years. KrebsOnSecurity, citing a senior Facebook employee, reported that the investigation so far has uncovered archives with plain text user passwords dating back to 2012 and between 200 million and 600 million users may have had their account passwords exposed to more than 20,000 Facebook employees.
A majority of the affected were users of Facebook Lite, a version of the social media app predominantly used by people in regions with lower connectivity. "We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way," said Canahuati. "We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users." According to Wired, Facebook does not plan to reset those users' passwords.
The social media giant, in line with security best practices, claims that it masks people's passwords when an account is created so that no one at Facebook can see them. "In security terms, we "hash" and "salt" the passwords, including using a function called "scrypt" as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters," read the latest blog post. In other words, even if someone compromises those passwords, they won't be able to read them.
So what went wrong? Issues in Facebook's password management systems reportedly caused the millions of affected passwords to be stored as plain text. Facebook told the magazine that the exposed passwords weren't all stored in one place, and that the issue didn't result from a single bug in the platform's password management system. Instead, the company had unintentionally and incidentally captured plaintext passwords across a variety of internal mechanisms and storage systems, like crash logs. Facebook added that the scattered nature of the problem made it more complicated both to understand and to fix.
"The data that's captured incidentally as part of debugging, and operating at the network scales they do is not uncommon," Kenn White, a security engineer and director of the Open Crypto Audit Project, told Wired. "But if Facebook retains that for years it raises a lot of questions about their architecture. They have an obligation to protect these debug logs and audit and understand what they're retaining."
The basic data defense mistake also seems contrary to the "Hacker Way" mantra that Facebook co-founder Mark Zuckerberg has espoused at the social network. Ironically, it was a security review into another breach last September - in which attackers stole extensive data from 30 million users by compromising their account access tokens or authentication markers generated when a user logs in - that put the spotlight on the password glitch. "In the course of our review, we have been looking at the ways we store certain other categories of information-like access tokens-and have fixed problems as we've discovered them," said Canahuati.
But whether you are one of the users whose password was exposed to prying eyes or not, it is advisable to change it as a precaution. All you have to do is to go to settings, click on the Security and Login option and then edit your password. "Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you," Canahuati further suggested.
Edited by Sushmita Choudhury Agarwal