It’s another day, so time for another Facebook scandal, as the company admitted Thursday that it had stored hundreds of millions of its users’ passwords internally in a readable format.
The world’s largest social network said that during a routine review in January it had found the flaw in its internal data storage systems, adding that the company had now fixed the issue.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Pedro Canahuati, vice-president of engineering, security and privacy, said.
Mr Canahuati’s post was published shortly after a blog by cyber security journalist Brian Krebs first reported on the incident, citing a Facebook source who said that the account passwords of between 200m and 600m users may have been searchable by more than 20,000 Facebook employees. Mr Krebs claimed that some of these passwords were available in plain text as far back as 2012.
The company said it inadvertently logged passwords in plain text in a variety of circumstances, such as when it received reports of a user’s app crashing. Mr Canahuati said that Facebook had found “no evidence to date that anyone internally abused or improperly accessed them” or that anyone outside of Facebook had viewed the passwords. However he said that the company would be notifying the users affected “as a precaution”.
He estimated this included hundreds of millions of users of Facebook Lite, a version of the platform used by people in regions with limited internet connections, plus tens of millions of other Facebook users and tens of thousands of users of Instagram, its photo-sharing app.
Facebook appears to be underhand as normal in revealing the issue, only revealing the issue after it had been reported elsewhere first. The social giant said it had not told regulators of the issue in January because it had planned to do so once it fully completed its internal investigation, which is expected to wrap up shortly.
It is unclear whether the latest incident represents a breach of the EU’s new data protection regulations, known as the General Data Protection Regulation, or GDPR. The Irish Data Protection Commissioner, which oversees compliance with GDPR, said in a statement:
“Facebook have been in contact and have informed us of this issue. We are currently seeking further information.”
Facebook said on Thursday that in the course of its routine security review, it had been “looking at the ways we store certain other categories of information” including another kind of key known as access tokens, adding that it had “fixed problems as we’ve discovered them”.