Facebook apps logged users’ passwords in plaintext, since because not

Facebook has mined a lot of information about a users over a years—relationships, domestic leanings, and even phone call logs. And now it appears Facebook might have inadvertently extracted another bit of vicious information: users’ login credentials, stored unencrypted on Facebook’s servers and permitted to Facebook employees.

Brian Krebs reports that hundreds of millions of Facebook users had their certification logged in plain content by several applications written by Facebook employees. Those certification were searched by about 2,000 Facebook engineers and developers some-more than 9 million times, according to a comparison Facebook worker who spoke to Krebs; a worker asked to sojourn unknown given they did not have accede to pronounce to a press on a matter.

In a blog post today, Facebook Vice President of Engineering, Security, and Privacy Pedro Canahuati wrote that a unencrypted passwords were found during “a slight confidence examination in January” on Facebook’s inner network information storage. “This held a courtesy given a login systems are designed to facade passwords regulating techniques that make them unreadable. We have bound these issues and, as a precaution, we will be notifying everybody whose passwords we have found were stored in this way.”

Canahuati remarkable that a passwords were never manifest to anyone outward Facebook and that there was “no justification to date that anyone internally abused or improperly accessed them… We guess that we will forewarn hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”

Facebook Lite is a chronicle of a mobile Facebook focus “predominantly used by people in regions with revoke connectivity,” as Canahuati put it. The Android app is many renouned in Brazil, Mexico, India, Indonesia, and a Philippines, as good as other countries in South Asia with comparison 2G and 3G GSM networks—markets where Facebook has gifted many of a new growth. Lite uses a substitute architecture, with an focus server regulating many of a focus formula and minimizing a volume of information that needs to be sent to a user’s phone. And apparently given it was behaving as a proxy, a server was behaving on interest of users and logging their certification for use in joining to other Facebook services.

While Facebook Lite users make adult a immeasurable infancy of those affected, other applications were clearly also involved—as Instagram and non-Lite Facebook accounts were also logged. Canahuati pronounced that Facebook’s server-side applications are usually ostensible to store a “hashed” mathematical illustration of users’ passwords and not a passwords themselves. But some applications within a Facebook and Instagram design clearly didn’t do that. According to a Krebs report, a defenceless passwords were stored during slightest given 2012 until Jan of this year, when a emanate was “discovered”.


According to Krebs’ source during Facebook, a association might be artificially shortening a distance of a probable bearing of passwords. “The longer we go into this analysis, a some-more gentle a authorised people are going with a revoke end [of potentially influenced users],” a source said. “Right now, they’re operative on an bid to revoke that series even some-more by usually counting things we have now in a information warehouse.”

Canahuati offering a common recommendation for users endangered about their privacy:

  • You can change your cue in your settings on Facebook and Instagram. Avoid reusing passwords opposite opposite services.
  • Pick clever and formidable passwords for all your accounts. Password manager apps can help.

He also mentioned use of other facilities Facebook offers to forestall someone from regulating stolen user certification to record in to a services—including two-factor authentication (2FA) by a mobile focus or around content message, or a use of a USB confidence key. But these authentication methods might not be simply accessible to or effective for many of those influenced by this or other cue exposures. Using SMS-based 2FA over 2G networks with diseased encryption doesn’t seem ideal, and interjection to Facebook’s use of phone numbers to find profiles, joining a phone series with a Facebook username is sincerely simple.

Back to Top