Do I trust Facebook? It knows my name, where I live, who my friends and family are, what I like, where I go, and daily – what I think and feel. It knows more about me than most people I meet – and now it knows my private password as well.
That last one is disturbing. It really shouldn’t know that – passwords are never supposed to be stored in a readable form. They are typically hashed – converted using mathematics into a secure and unreadable form, and only ever used to check if it matches what the user tries to enter later to access the same account. This protocol preserves the user’s privacy and means that Facebook employees can’t copy the password and use it to try and break access other sites and systems online where I might have used the same password.
Unfortunately for me, and hundreds of millions of Facebook users – our Facebook passwords were stored in plain text – exposing them for many years to anyone who had access to Facebook systems – those very same Facebook employees. Up to 20,000 of them.
FB has had a rough couple of years with Cambridge Analytica and other high profile scandals that have exposed consumer data in ways which are unsavoury at best and potentially dangerous at worst. The firm has repeated assured it’s users, the public and world governments that it takes privacy seriously – and so this news comes as a huge blow.
There is no way to check which employees shared those passwords, whether they were copied, re-used for off book procedures, or even stolen and taken to other companies when those employees happened to leave the company. Between 200 and 600 million users are affected, and Facebook confirmed the issue in a blog post diplomatically titled ‘Keeping Passwords Secure’. To it’s credit it has said the issue has been fixed, and was identified in a review in January. However Facebook also admitted that the plain text logging of passwords has been going on since 2012. Seven years.
Facebook has stated there’s no evidence yet those passwords were exposed outside the company, and they weren’t abused internally. Though – how would they know at this stage? People who stole or abused those passwords are unlikely to have been forthcoming, and no details have been forthcoming as why they are convinced this is the case.
The issue impacted “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company says. This means the problem extends beyond the core Facebook site, and affects other properties; the company has been silent as to whether WhatsApp has also been affected.
Despite protestations of innocence, the company admitted at least 2,000 Facebook employees searched through the passwords, though they would not say why.
The company is the largest online store of personal and social networking information in the world, and has suffered a series of security issues even until quite recently. Five months ago, in October 2018, a hacker stole personal information from 29 million accounts after first stealing login tokens. Earlier in the year, private messages from 81,000 users were found to have been put up for sale.
The company is now facing calls for it’s breakup (along with other Internet behemoths) from politicans in running for the US presidency