Facebook Employees Had Access to Up to 600 Million Passwords

(Image credit: Shutterstock)

According to revelations Thursday, Facebook has kept the passwords of 600 million users in plain text. Up to 20,000 employees could have accessed these passwords at any time, but the company claims there is currently no indication that its employees accessed those passwords improperly.

Facebook Passwords In Plain Text

In a public statement, Facebook said that during a routine security review in January, its security team found that some user passwords were stored in a readable format. The company claimed that this shouldn’t have happened, as it typically deploys techniques to mask passwords and make them unreadable to employees or malicious hackers.

Facebook said that it normally “hashes” and “salts” user passwords as soon as they are created for a new account. The company also uses a function called “scrypt” and a cryptographic key that lets it irreversibly replace the user’s password with a random strings of characters that is then stored on the servers instead of the real password, Pedro Canahuati, VP Engineering, Security and Privacy at Facebook, wrote in the blog.

What Insiders Say

According to sources from inside Facebook, as cited by Krebs on Security up to 2,000 Facebook engineers made approximately 9 million internal queries for data elements that contained plain text user passwords. However, Facebook has officially stated that its own investigation has found that none of its employees has improperly accessed these plain text user passwords so far.

This is at odds with what the insiders said, but it’s possible Facebook is interpreting “improperly accessing the data” in a different way than the insiders that revealed the information to the press.

The sources also claimed that the company’s legal team has been comfortable with lowering the official number of potentially affected users by counting those affected in ways that minimize the exposure.

For instance, one source said Facebook only counted data currently available in its data warehouse, implying that there may have been other data about other users that was deleted (either automatically, through scheduled data purging, or manually).

Facebook plans to notify the affected users (presumably the lower bound of users that it considers affected) but doesn’t intend to reset their passwords automatically. In addition to reminding users to change their passwords for Facebook and Instagram if concerned., the social media giant recommends using a physical security key to better protect your account.

Criminal Investigation into Facebook’s Data Practices

Since the Cambridge Analytica scandal, Facebook has been under fire from world’s governments. Recently, federal prosecutors announced that they have opened a criminal investigation into Facebook’s data deals with device makers and some service vendors. The company allegedly allowed these hardware makers access to user’s personal data beyond what the public APIs allowed.

The Federal Trade Commission (FTC) and the Securities Exchange Commission (SEC) are also conducting their own investigation into Facebook’s mishandling of user data. The FTC is rumored to prepare a multi-billion dollar fine against Facebook over breaching the 2011 privacy-related settlement with the agency.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.