- Facebook disclosed to have stored passwords of hundreds of millions of users in plaintext.
- Users of Facebook, Facebook-lite and Instagram were affected in the incident
- The passwords were stored in a readable format within their internal storage system.
- The issue was discovered in January 2019 and was fixed immediately.
Facebook revealed to have mistakenly stored the passwords of hundreds of millions of Facebook and Instagram users in plaintext for years.
In a post published yesterday, Facebook disclosed that they found passwords of some users were stored in a readable format within their internal storage system.
The passwords were only accessible to who have internal access to servers and database and not to anyone outside Facebook.
The issue was discovered during a routine security review by Facebook IT staff in January 2019 and was fixed immediately.
According to estimate hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users were affected by the issue.
The investigation still ongoing and Facebook said till date they have found no evidence that employees have abused access to this data.
According to security researcher Brian Krebs, at least 2000 Facebook employees have access to these passwords.
“My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.”
According to a senior Facebook employee who spoke on condition of anonymity to Krebs said that “Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. “
Facebook said they will notify all the users affected the incident.
Facebook also advised users to change their passwords on Instagram and Facebook. Users are advised not to use the same passwords across different accounts and enable two-factor authentication in your accounts.
You may be interested in reading:New Zero-day flaw in Google Chrome Discovered Actively Exploited in the Wild