Over half a billion Facebook users’ passwords sat unsecured on the company’s servers for years, the tech giant admitted, after an investigation uncovered the egregious bug – but it’s OK, only Facebook employees could access them.
Facebook acknowledged the glaring oversight after an anonymous employee blew the whistle to Krebs on Security, admitting “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” had been affected, then adding insult to injury with a casual admission that they’d discovered the security flaw “as part of a routine security review in January.”
The scandal-plagued social media giant hastened to assure users that “no passwords were exposed externally and we didn’t find any evidence of abuse to date,” but their post was cold comfort from the company whose CEO has explicitly called the users who trust him “dumb f***s.”
As many as 600 million users – anyone who created their password after 2012 – had their login credentials stored in a plaintext, unencrypted database where they could be searched by any one of 20,000 Facebook employees, according to the leaker.
Passwords – especially high-value passwords like Facebook’s – are normally “hashed,” or cryptographically scrambled to prevent hackers from using them even if they are able to break into a company’s servers. Storing this data in unsecured plaintext is the cyber-security equivalent of allowing guards to walk in and out of a bank vault without passing through a metal detector.
Facebook says it has fixed the bug and promised to notify all users whose passwords were stored unencrypted. The vulnerability is only the latest in a seemingly endless string of outrages. Earlier this month, it emerged that Facebook had made users’ ostensibly private phone numbers – given for security purposes only – into just another searchable attribute, with no option to opt out and the added indignity of those numbers being targeted with ads. In September, data from some 30 million accounts was stolen via compromised access tokens and, in December, seven million users learned that third-party app developers could access their private photos – even those they’d never uploaded to the platform.
While it had their attention, Facebook took the opportunity on Thursday to notify users about a cool new “physical security key” they could login with – a “small hardware device that goes in the USB drive of your computer” ideal for “high-risk users including journalists, activists, political campaigns and public figures.”
“There is nothing more important to us than protecting people’s information,” said Pedro Canahuati, vice president of engineering, security and privacy for Facebook – while presumably hiding a smirk.