Facebook stored hundreds of millions of passwords unprotected

Serviceteam IT Security News

Facebook mistakenly stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, the company has admitted.

The mistake, which led to user passwords being kept in Facebook’s internal servers in an insecure way, affects “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, according to the social networking site. Facebook Lite is a version of Facebook created for use in nations where mobile data is unaffordable or unavailable.

In a statement, Facebook’s vice-president for engineering, security and privacy, Pedro Canahuati, said: “We have found no evidence to date that anyone internally abused or improperly accessed” the passwords, which “were never visible to anyone outside of Facebook”. Affected users will be directly notified.

Nonetheless, the risk of misuse was high. According to security reporter Brian Krebs, who cited a “senior Facebook insider”, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords”.

Best practice for password security involves a number of precautions to ensure that, even if the company is hacked, stolen passwords cannot be used. Passwords should be “hashed”, a one-way process which transforms every password into a unique “hash”, and ideally “salted”, ensuring that even two identical passwords produce different hashes. Those are the security practices that Facebook normally takes, and which were overlooked in this case.

Canahuati said Facebook has now fixed this particular issue, as well as some problems the company has discovered in other security features, such as the code by which users log in through other apps.

The information commissioner’s office warns companies: “Do not store passwords in plaintext – make sure you use a suitable hashing algorithm, or another mechanism that offers an equivalent level of protection against an attacker deriving the original password.

“You should also ensure that the architecture around your password system does not allow for any inadvertent leaking of passwords in plaintext.” The guidance refers to the exact sort of error that Facebook admitted to on Thursday.

The ICO has not issued a fine purely for storing passwords in an insecure fashion, although it has cited insecure storage as an aggravating factor when penalising more serious data protection breaches.

Source: The Guardian

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News Design Principles: Making services hard to compromise
Serviceteam IT Security News Emergency Oracle Patch Closes Bug Rated 10 in Severity
Serviceteam IT Security News Firewall deployment for SCADA and process control networks
Serviceteam IT Security News Learning to love logging
Serviceteam IT Security News Variety in risk information
Serviceteam IT Security News Microsoft Patches 15 Critical Bugs in March Patch Tuesday Update