21
Mar 19

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people within those organizations, and for far shorter periods of time.

Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

“This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening,” Renfro said. “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data.”

Facebook’s password woes come amid a tough month for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest tech companies.

Earlier in March, Facebook came under fire from security and privacy experts for using phone numbers provided for security reasons — like two-factor authentication — for other things (like marketing, advertising and making users searchable by their phone numbers across the social network’s different platforms).

Update, 11:43 a.m.: Facebook has posted a statement about this incident here.

Tags: , ,

This entry was posted on Thursday, March 21st, 2019 at 11:17 am and is filed under A Little Sunshine, The Coming Storm. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

135 comments

  1. JimV
    March 21, 2019 at 4:57 pm

    More ammunition supporting Elizabeth Warren’s push to impose stronger regulatory controls on (and possibly antitrust actions against) FB, I would think.

    Reply
    • Penny Morrison
      March 21, 2019 at 7:29 pm

      I just do not have Facebook or any of those sites. So, I do not have to worry about stuff like that. I do not have any credit cards, any debt and I do not believe in storing anything personal or important on a computer.

      Reply
    • Dirk Diggler
      March 21, 2019 at 7:39 pm

      Liz’s stance on anything is irrelevant. She is powerless, toothless, and desperate. But, otherwise, yea… this.

      Reply
    • Andrew Floyd
      March 21, 2019 at 10:28 pm

      There is no reason for “antitrust” anything regarding Facebook. There’s nothing to split up. Elizabeth Warren is an idiot.

      Reply
  2. Scott
    March 21, 2019 at 4:59 pm

    So, we’re saying that at least 2,000 Facebook employees have had access to account IDs and their associated passwords – the full set of credentials needed for most people to log on. They have no idea where those passwords may have been saved or otherwise exfiltrated from the system by those who accessed them. Yet we have no need to worry at all, and no need to change our passwords? I would recommend every FB user change their password immediately. Especially considering, as someone else wrote earlier, that FB identity federation is used on many non FB sites.

    Stay safe, folks.

    Reply
    • Tom
      March 21, 2019 at 6:39 pm

      @Scott

      ” I would recommend every FB user… quit Facebook …immediately.”

      FTFY

      Reply
      • Charlene
        March 21, 2019 at 8:40 pm

        I did quit and my profile is still on there. Have tried 3 times and still no luck.

        Reply
        • Bob Stromberg
          March 21, 2019 at 10:17 pm

          OK, so you quit. You delete your profile. 1) Do all your likes and comments on other user’s accounts disappear? 2) If FB is later served with a subpoena to provide information from your account, is that impossible because the account has been deleted from all the backups? 3) If a disastrous breach occurred whereby FB customer data were snarfed up by hackers, could “deleted” accounts be included in the breach, or not?

          I’m sceptical that a FB account, once created, can actually be deleted (expunged, disappeared, vanished) by a simple user request. Perhaps a law enforcement request (think about the witness protection program) could completely wipe all record of such an account from FB’s servers. But, er, I’m sceptical.

          Reply
  3. Hello
    March 21, 2019 at 5:11 pm

    I do not believe this was an accident. Even first year graduates know you always hash passwords. It is simply not believable that an organization as big as Facebook would allow plaintext unless it was officially sanctioned somewhere.

    Regulators should investigate what Facebook was doing with these passwords. What types of users were targeted? Were they journalists? Officials? Competitors?

    Reply
    • MattyJ
      March 21, 2019 at 6:25 pm

      Or, more likely, this indicates that the bar for becoming a software engineer at FB is much, much lower than ‘first year graduate’.

      Reply
      • MarkS
        March 21, 2019 at 7:50 pm

        The post doesn’t say that passwords weren’t hashed in their storage location, but that they were *logged* unencrypted. That’s an easier mistake to make, if you routinely log requests. I dare say some graduates have even made this mistake from time to time. Easyish to do if you’re at one end of the Dunning Kruger curve.

        Reply
        • illumina23
          March 21, 2019 at 9:09 pm

          Why in this day and age are unhashed passwords even hitting the wire in the first place?

          There ought to be an authentication protocol agreed upon between the browser and the web server, wherein the browser only ever transmits hashed passwords.

          Had a system like this been in place, it would not have been possible for this to have happened, since FB would never have received any plaintext passwords in the first place.

          Am I missing something?

          Reply
      • Hello
        March 21, 2019 at 7:53 pm

        Entirely possible but, even so, their work would be monitored by someone higher up.

        As well, password security in large organizations is so fundamental that it’s impossible any staff would not be aware of the need to hash. They would hear it mentioned in general conversation and meetings.

        Reply
    • coagmano
      March 21, 2019 at 8:50 pm

      From the description it sounds like passwords were stored properly in the database, but the application logs contained network requests containing passwords.

      There’s been a few incidents like this where log applications didn’t automatically redact sensitive data in logs

      Reply
  4. JR
    March 21, 2019 at 5:13 pm

    Facebook’s employees aren’t even employees. They are all contractors — most of whom are overseas. Manila is their largest operation. I think the number of people contracting FIRMS is 4,500. Facebook monitors aren’t monitoring — they are pretending to be algorithms. Increase user engagement and spy on those FB or their customers ID as high value. FB knows it has a problem with contractors — something happened a few months ago in Manila. Maybe someone stole data… that’s what I inferred. Maybe they are being blackmailed? If an employee is coming forward with a partial story… it is spin. Why say unencrypted email addresses if nothing happened… something happened.

    Reply
  5. WhyZuckWhy
    March 21, 2019 at 5:43 pm

    So big question – Were FB username and/or email addresses tied to these plain-text passwords? Or was this just merely a long text list of millions of random passwords?

    Reply
    • SubjectofUSSA
      March 21, 2019 at 6:02 pm

      Obviously 20,000 facebook employees would not be searching the file if it only contained random gibberish.

      Reply
  6. Muhammid
    March 21, 2019 at 6:13 pm

    Big deal?……NOT. If the idiots that use FB to see who’s eating what for breakfast and are responsible for sitting thru a green light while they check their “status”, do not know when they signed up for this stupid forced intrusion and logging of everything and everywhere they go and everyone they ever knew, then they got exactly what they deserve. Of course these idiots are not intelligent enough to not use the same PW on multiple accounts! The government is NOT going to do anything to punish FB, b/c they are using their user profiles to supposedly thwart terrorism…….LOL. WTF…this is AMERICA where ANYTHING GOES!!!

    Reply
    • plb4333
      March 21, 2019 at 6:50 pm

      Your comment is ludricous. Are you always way off the mark, or just most of the time? Your replying is so laughable that people must think you’re a bit mental.

      Reply
  7. Aldofo
    March 21, 2019 at 6:14 pm

    Big deal?……NOT. If the idiots that use FB to see who’s eating what for breakfast and are responsible for sitting thru a green light while they check their “status”, do not know when they signed up for this stupid forced intrusion and logging of everything and everywhere they go and everyone they ever knew, then they got exactly what they deserve. Of course these idiots are not intelligent enough to not use the same PW on multiple accounts! The government is NOT going to do anything to punish FB, b/c they are using their user profiles to supposedly thwart terrorism…….LOL. WTF…this is AMERICA where ANYTHING GOES!!!

    Reply
  8. Tim Shamper
    March 21, 2019 at 6:31 pm

    Damn, now everyone will know what I had for dinner yesterday.

    Reply
  9. ale
    March 21, 2019 at 6:41 pm

    Mark Z don’t care about users privacy. hes been quoted as saying “users are dumb fks to trust me” or something to that effect.

    Reply
  10. The Sunshine State
    March 21, 2019 at 6:49 pm

    Didn’t get a email notification on this one?

    Reply
  11. Mary Harris
    March 21, 2019 at 6:54 pm

    What???

    Reply
  12. Priscilla Jones
    March 21, 2019 at 7:04 pm

    My account was deleted and I couldn’t get my email keep making me change my email and now I can’t get my mail

    Reply
  13. IThinkSo0077
    March 21, 2019 at 7:23 pm

    Go ahead hack me…I don’t like Facebook anyway…

    Reply
  14. Riotaro Okada
    March 21, 2019 at 7:37 pm

    Facebook has a Password Heaven!!

    FYI: In the OWASP ASVS V2 Authentication, Level 1 apps(low risk)doesn’t require “credential encryption” and “secure storage”.
    Users may have apps like this only for extremely low risk purpose.

    Do not overestimate ASVS L1 apps.

    Reply
  15. 3rd rock from de Sun
    March 21, 2019 at 7:40 pm

    All my information is bogus anyway, so…. who’s worried?
    And if they did steal anything, my credit is so bad, they’d give back my identity with a letter of apology, and one hundred dollars.

    Reply
  16. Sunil
    March 21, 2019 at 9:22 pm

    So when you send credentials to a website (response to a 401 challenge using Basic Auth) you will see an Authorization header with base64 value of username and password. If you are logging headers, which you probably are, you will see that this kind of stuff is more common than you’d think. The only reason they are getting a hard time is because it is facebook. If this was your Credit Union.. you’d totally let them get away with it

    Reply
← Older Comments

Leave a comment