The social media network said the passwords were never
accessible to anyone outside the company, but cyber security experts say
passwords should be encrypted to prevent the potential for abuse.
“To be clear, these passwords were never visible to anyone
outside of Facebook and we have found no evidence to date that anyone
internally abused or improperly accessed them,” Facebook said in a statement
Thursday afternoon.
The storage of passwords in plain text instead of encrypted
form meant they were plainly visible to thousands of Facebook employees dating
back several years, by some accounts to 2012.
“The silver lining on the cloud is that Facebook hasn’t seen
any evidence that any employees have abused access to the password data – but
frankly, how would they know for sure?” wrote cybersecurity expert Graham
Cluley on Thursday.
The story was first reported by independent journalist Brian
Krebs who talked to an anonymous security professional at Facebook who said
employees built applications that logged password data but failed to properly
encrypt them.
Facebook said it will notify users potentially affected by
the security oversight.
“We have fixed these issues and as a precaution we will be
notifying everyone whose passwords we have found were stored in this way,”
Facebook said. “We estimate that we will notify hundreds of millions of
Facebook Lite users, tens of millions of other Facebook users, and tens of
thousands of Instagram users.”
While it remains unclear if the oversight has directly
affected any of the 2.2 billion worldwide users of the social media platform,
it marks yet another setback for the company.
Last week, federal prosecutors were scrutinizing several large deals Facebook made with other technology
companies as part of a criminal investigation into the company’s data privacy
practices.
Also this month, Facebook came under fire for another
security blunder: Making phone numbers, which are often used in two-factor
authentication processes, visible and allowing people to search for friends via
phone numbers.
Facebook is not requiring users to change their passwords,
but you should do it anyway.
There are many methods for setting strong passwords — for
example, do not use the same password across multiple sites, and do not use
your Social Security number as a username or a password. You can set up
security features such as two-step verification as well.
There are a few other steps to take. I recommend also setting
up your Facebook account to receive alerts in the event that an unrecognized
device logs in to the account. To do so, go to your Facebook app settings, tap
Security and Login, and then tap Get alerts about unrecognized logins. From
here, you can choose to receive the alerts via messages, email or
notifications.
An audit of devices that are logged in to your account may
also be in order, so that you know what laptops, phones and other gadgets are
already accessing your account. On Facebook’s Security and Login page, under
the tab labeled “Where You’re Logged In,” you can see a list of devices that
are signed in to your account, as well as their locations.
If you see an unfamiliar gadget or a device signed in from
an odd location, you can click the “Remove” button to boot the device out of
your account.
Facebook has attempted to distance itself from security
oversights in recent weeks while charting a course away from a business model
that requires it to use the data gathered about its users in targeted
advertising and other consumer-related enterprises.
Last week, CEO Mark Zuckerberg unveiled a new
“privacy-focused vision” for the company that prizes private communication
through its applications over public sharing.
“There is nothing more important to us than protecting
people’s information, and we will continue making improvements as part of our
ongoing security efforts at Facebook,” the company said on Thursday.
SOURCE: New York Times