The social media network said the passwords were never accessible to anyone outside the company, but cyber security experts say passwords should be encrypted to prevent the potential for abuse.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Facebook said in a statement Thursday afternoon.
The storage of passwords in plain text instead of encrypted form meant they were plainly visible to thousands of Facebook employees dating back several years, by some accounts to 2012.
“The silver lining on the cloud is that Facebook hasn’t seen any evidence that any employees have abused access to the password data – but frankly, how would they know for sure?” wrote cybersecurity expert Graham Cluley on Thursday.
The story was first reported by independent journalist Brian Krebs who talked to an anonymous security professional at Facebook who said employees built applications that logged password data but failed to properly encrypt them.
Facebook said it will notify users potentially affected by the security oversight.
“We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” Facebook said. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
While it remains unclear if the oversight has directly affected any of the 2.2 billion worldwide users of the social media platform, it marks yet another setback for the company.
Last week, federal prosecutors were scrutinizing several large deals Facebook made with other technology companies as part of a criminal investigation into the company’s data privacy practices.
Also this month, Facebook came under fire for another security blunder: Making phone numbers, which are often used in two-factor authentication processes, visible and allowing people to search for friends via phone numbers.
Facebook is not requiring users to change their passwords, but you should do it anyway.
There are many methods for setting strong passwords — for example, do not use the same password across multiple sites, and do not use your Social Security number as a username or a password. You can set up security features such as two-step verification as well.
There are a few other steps to take. I recommend also setting up your Facebook account to receive alerts in the event that an unrecognized device logs in to the account. To do so, go to your Facebook app settings, tap Security and Login, and then tap Get alerts about unrecognized logins. From here, you can choose to receive the alerts via messages, email or notifications.
An audit of devices that are logged in to your account may also be in order, so that you know what laptops, phones and other gadgets are already accessing your account. On Facebook’s Security and Login page, under the tab labeled “Where You’re Logged In,” you can see a list of devices that are signed in to your account, as well as their locations.
If you see an unfamiliar gadget or a device signed in from an odd location, you can click the “Remove” button to boot the device out of your account.
Facebook has attempted to distance itself from security oversights in recent weeks while charting a course away from a business model that requires it to use the data gathered about its users in targeted advertising and other consumer-related enterprises.
Last week, CEO Mark Zuckerberg unveiled a new “privacy-focused vision” for the company that prizes private communication through its applications over public sharing.
“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” the company said on Thursday.
SOURCE: New York Times