Facebook stored up to 600 million user passwords in plain text

By now you have probably heard of the scary news of how Facebook stored millions of user’s passwords in plain text. The news was broken by Brian Krebs, who noted that the up to 600 million passwords were stored insecurely and accessible by Facebook employees.

According to a senior employee who spoke to Krebs, the Social Networking site which has recently been accused of security missteps is probing a series of security failures in which its employees are said to have built applications that logged unencrypted password data for Facebook users and stored it in plain text on the internal company server. What this basically means is Facebook employees could be able to log into user accounts and according to Krebs, the passwords stretched back to those created in 2012. These passwords could also be a jackpot for hackers and that’s why Facebook users need to be worried.

Facebook has already released a statement saying it has resolved the glitch.

‘’As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way.’’ Pedro Canahuati, VP Engineering, Security and Privacy at Facebook said.

The company says an ongoing investigation has so far found no indication that employees have abused access to this data. Should we really believe them? Well…

‘’To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. ‘’ the statement said.

Canahuati adds that they have now corrected the password logging bug and that it will notify hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users that their passwords may have been exposed.

In line with security best practices, Facebook says it masks people’s passwords when they create an account so that no one at the company can see them.

Experts hower believe that this latest glitch could have been an accident error.  Speaking to TechTrendsKE, John Shier, senior security advisor at Sophos said despite the recent struggles Facebook has had with respect to privacy and security, this incident is a little different.

‘’Authentication data is something that Facebook treats very seriously and has put in place many mechanisms, both externally and internally, to ensure that user credentials are safeguarded. While the details of the incident are still emerging, this is likely an accidental programming error that led to the logging of plain text credentials.’’.

‘’That said, this should never have happened and Facebook needs to ensure that no user credentials or data were compromised as a result of this error. This is also another reminder for people who are still reusing passwords or using weak passwords to change their Facebook password to something strong and unique and to turn on 2-factor authentication.” he added.’’ 

Featured Image Credits: REUTERS

Facebook Comments

[TechTrends Podcast] Connectivity in Africa ft Africa Data Centres MD Dan Kwach

Nixon Kanali

Tech journalist based in Nairobi. I track and report on tech and African startups. Founder and Editor of TechTrends Media. Nixon is also the East African tech editor for Africa Business Communities. Send tips to

Have anything to add to this article? Leave us a comment below

Back to top button