It’s difficult to summarize all of Facebook’s privacy,
misuse, and security missteps in one neat description. Hundreds of millions of
Facebook users’ passwords were stored in plain text, totally searchable by
Facebook employees for years.
According to a report by Krebs
on Security, Facebook acknowledged a bug in its password management systems
that caused hundreds of millions of user passwords for Facebook, Facebook Lite,
and Instagram to be stored as plaintext in an internal platform.
The investigation so far indicates between 200 million and
600 million Facebook users may have had their account passwords stored in plain
text and searchable by more than 20,000 Facebook employees.
Most of the passwords were exposed back in 2012.
Shortly after KrebsOnSecurity published its story, Facebook
posted its own statement by its vice president of engineering, security and
privacy, Pedro Canahuati. He states that the company first discovered the issue
during “a routine security review in January.”
Facebook claims that no one outside of the company was able
to view the passwords and that it has found no evidence that anyone working at
the social network “abused or improperly accessed them.” According to
KrebsOnSecurity’s source, around 2,000 engineers or developers queried data
that contained plain text passwords approximately 9 million times.
In September last year, it said information on 50 million
users had been exposed by a security flaw.
And earlier in 2018 it revealed that data on millions of
users had been harvested by data science company Cambridge Analytica.
But whether you get a password notification from Facebook or
not, you might as well go ahead and change it as a precaution.
To do so on Facebook desktop, go to Settings → Security and
Login → Change Password. On Facebook for iOS and Android, go to Settings &
Privacy → Settings → Security and Login → Change Password. On Facebook Lite for
Android, go to Settings → Security and Login → Change Password. Changing your
account password on either main Facebook or Facebook Lite changes it for both.
On Instagram, go to Settings → Privacy and Security →
Password to change your password. Instagram and Facebook do not use the same
password, but can be linked to log into one with the other.
Facebook is not forcing affected users to change their
passwords at this time.
