Perhaps we should all change our Facebook passwords to play
it safe, following news that Facebook kept, from as early as 2012, “hundreds of
millions” of user account passwords in plain text, making them available to some
20,000 employees, writes
KrebsOnSecurity following a tip from a source at Facebook.
According to Brian Krebs, Facebook is looking into a number
of application “security failures” that led to the logging and storage of
unencrypted password data on the internal network. This glitch may have
affected between 200 million and 600 million accounts, but the company is still
investigating before it reveals the exact number of exposed passwords, as well
as details on the timeframe or employees who may have accessed the data.
“The longer we go into this analysis the more comfortable
the legal people [at Facebook] are going with the lower bounds” of affected
users, the source told KrebsOnSecurity. “Right now they’re working on an effort
to reduce that number even more by only counting things we have currently in
our data warehouse.”
The social network says no evidence suggests the data was
manipulated or compromised in any way by its employees and doesn’t urge users
to reset their passwords.
“We’ve not found any cases so far in our investigations
where someone was looking intentionally for passwords, nor have we found signs
of misuse of this data,” said Facebook software engineer Scott Renfro. “In
this situation what we’ve found is these passwords were inadvertently logged
but that there was no actual risk that’s come from this. We want to make sure
we’re reserving those steps and only force a password change in cases where
there’s definitely been signs of abuse.”
Facebook claims the incident was detected in January and the
people most affected so far appear to be Facebook Lite users.
“We estimate that we will notify hundreds of millions of
Facebook Lite users, tens of millions of other Facebook users, and tens of
thousands of Instagram users,” the company said.