Facebook has admitted that they have discovered that hundreds of millions of user passwords were stored in a readable format or in plaintext within their internal data storage systems.
In a statement, Pedro Canahuati, Facebook VP Engineering, Security and Privacy, said that their login systems should have masked the passwords, and have discovered the issue during their routine security review in January. He said that the passwords were never visible to anyone outside of Facebook and have found no evidence to date that anyone internally abused or improperly accessed those passwords. He also said that they have fixed the issues and will notify affected users as a precaution.
The social media giant estimates that it has affected hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.
A senior Facebook employee who spoke on condition of anonymity told KrebsOnSecurity that initial investigation estimates that between 200 million and 600 million Facebook users might have had their passwords stored in plaintext and was searchable by more than 20,000 Facebook employees. Some of the discovered archives of plaintext passwords even date back to 2012.
Although Facebook says that no passwords were exposed externally and that they didn’t find any evidence of abuse to date, the company still recommends changing your passwords on Facebook and Instagram as well as enabling a security key or two-factor authentication (2FA) to keep it secure.
Paul Ducklin, a senior technologist at cybersecurity provider Sophos, also recommends changing your Facebook password and enabling 2FA. “It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this. But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused. Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed,” Ducklin said.
You can read Facebook’s full statement here.