For Years, Hundreds of Millions of Facebook Users Had Their Account Passwords Stored in Plain Text and Searchable By Thousands of Facebook Employees (krebsonsecurity.com) 106
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees -- in some cases going back to 2012, KrebsOnSecurity reported Thursday. From the report: Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing the causes of a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press. The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012. Facebook has responded.
Hey look (Score:5, Insightful)
The amount of these is insane. Why is this still a company and not been shut down.
Re: (Score:1)
they "trust" me. dumb fucks.
Re: (Score:2)
Shut down
Re: (Score:3)
Re:Hey look (Score:4, Interesting)
Why is this still a company and not been shut down.
Most people don't care about their online privacy unless it's nudie pics. Seems strange to most of us here. They think we're strange.
cf. Snowden revelations going over like a lead balloon.
Re: (Score:1)
Most people don't care about their online privacy unless it's nudie pics. Seems strange to most of us here.
Reminds me of the old joke about how a liberal is just someone who hasn't been mugged (yet). Personal experience colours everything we think and feel. Trouble is, life is too short and the world too big and varied for most of us ever to get a balanced view of it.
"Experience keeps a dear school, but fools will learn in no other".
- Benjamin Franklin
It's very much the same pattern with many things:
- We don't bother to take backups until, one fine day...
- We don't think insurance is worth the cost until...
- Sec
Re: (Score:2)
Insurance isn't worth the cost, if you can afford to cover the loss yourself. If it wasn't a negative expected value, there'd be no profit in providing it. It makes sense only when in the case the insurance is needed you couldn't afford the cost. So homeowners insurance tends to be good, insurance on your phone tends to be bad.
Re: (Score:2)
Insurance isn't worth the cost, if you can afford to cover the loss yourself. If it wasn't a negative expected value, there'd be no profit in providing it. It makes sense only when in the case the insurance is needed you couldn't afford the cost. So homeowners insurance tends to be good, insurance on your phone tends to be bad.
I won't argue the finer points but I note that when a mult-billionaire's house burns down they've usually been insured, so there must be value in it somewhere.
Re: Hey look (Score:2)
Re: Hey look (Score:2)
Re: (Score:2)
The problem is that its dangers are a little bit like with the anti-vaxxers. Just saying "don't be stupid" doesn't cut it when the stupid can affect you with their actions. All it takes is one idiot friend in your circle of acquaintances who feels that urge to tell the whole world who he's hanging out with.
Re: (Score:2)
Ya know, a rebuttal that uses the same wording should at the very least make sense...
Re: (Score:1)
Hey, now, that's not fair. Facebook cares about privacy. In much the same way that lions care about gazelles.
Comment removed (Score:5, Interesting)
Re: (Score:2)
The real problem, isn't Facebook, but all the other companies, that have our info also stored unencrypted.
Most software are built by beginning programmers, fresh out of school on their first job. You will be lucky if the classes taught would include SQL databases, and most of them will shy away from teaching security practices, I think partially because they don't want to teach the next generation of hackers. But Almost every time, me as someone with a few decades of experience work with these developers, I
Re: (Score:2)
Facebook is worse than that. In the summer their number swell by almost 50% due to interns.
Re: (Score:2)
Why keep the list? I would, to help set better security standards.
You can flag bad password choices just by storing hashes.
Re: (Score:2)
Pre-existing bad choices yes, if the data was to be analyzed to find patters of how bad passwords are constructed it isn't enough.
should never have been available in plaintext (Score:4, Insightful)
The point is, passwords should never have been available in plaintext in the first place.
What the heck is wrong with them? The techniques for keeping passwords encrypted (or not holding them at all, just the hash) are well known in the business, and have been well known for decades.
Re: (Score:2)
Lies (Score:4, Informative)
Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
The CEO himself admitted to using this data to hack users' email.
The incompetence of these people is astonishing.
Re:Lies (Score:4, Insightful)
Is it incompetence, or a culture of entitled assholes?
So far, my take on Facebook is it's led by a self-entitled asshole, and that probably permeates the entire company ... we're Facebook, so fuck you, we'll do whatever we want.
This is a company which tracks you on almost every website unless you block them. Fuck that, I've blocked any of their domains and Zuckerfuck can kiss my ass and then fuck off.
Everything about Facebook says it is ran by assholes, and by extension staffed by assholes.
I'm not giving them a pass on incompetence, I think they're pretty much a malicious entity who feels they have the right to any of your data with or without your consent.
Re: (Score:3, Informative)
Is it incompetence, or a culture of entitled assholes?
I'm pretty sure it's both with some machiavellian criminality as an emulsifier. It's a popular recipe for success.
Re: (Score:3)
The CEO himself admitted to using this data to hack users' email.
Really to bad the Computer Fraud and Abuse Act only has a 2 year statue of limitation for that soft of thing. Would have been hilarious to send Zuck to the pokey.
Re: (Score:2)
I'm sure he checked that statute before "admitting" it.
Lies? Yes, clearly but where? (Score:2)
Lies? Well, yes, clearly there has been some lying. I can't speak towards whether or not the CEO admitted to using this to hack emails, that I've never heard (is there a reference for this?) but I can tell you there has to be some lying going on.
The clear lie is the claim they didn't know and that they are now "investigating" how this happened. That is so far off just PR spin that it's a blatant lie.
Their login database, for software reasons, has to be one of three methods. It has to be a) store 100% of
Re: (Score:2)
If I had to guess I would assume these are some of the oldest accounts and these people just never changed their passwords. Zuck while still in school probably wanted to read his friends e-mails and figured FB would be a good way to collect their passwords; or maybe he was just ignorant of best practices at the time and stored the passwords clear text because he did not know any better.
Then when people who knew better updated the software rather than just hashing the clear texts they had and updating the r
Re: (Score:2)
Their login database, for software reasons, has to be one of three methods. It has to be a) store 100% of the passwords as plain-text, b) store 100% of the passwords as hashed, or c) be a hybrid system that allows either a plain-text or a hashed password with a marker for each entry specifying whether that entry is hashed or plain.
Or, d) none of the above.
According to the article, there is an interface called "Facebook Lite" that is used for accessing facebook on low-bandwidth connections; it was primarily the Facebook Lite users that had their passwords stored in plain text.
Re: (Score:2)
Or, d) none of the above.
According to the article, there is an interface called "Facebook Lite" that is used for accessing facebook on low-bandwidth connections; it was primarily the Facebook Lite users that had their passwords stored in plain text.
Fair enough, maybe all the users created through that lite interface had their passwords unhashed. But if you read the article, there are tens of millions of regular users too. And you can't tell me that no one who created an account through the lite version never tried to log in the normal way ever. Which means, somewhere the login API had to have global support for determining the difference between a hashed and plain-text password. Someone had to add that. Global support for differentiating between
Re: (Score:2)
Re: (Score:2)
They use PHP. You should not be astonished.
Incompetence or Malevolence? (Score:1)
Yes.
Re: (Score:2)
That doesn't exactly make it better that only one half of The Party got access to it.
Re: (Score:1)
It's not as though any other major social media companies encrypt your shit either. Don't pretend Facebook is special in this regard.
Zero Trust (Score:2)
I think there needs to be school classes or something that teach 'internet defense'.
We're beyond any shadow of a doubt that we cannot trust *any* company with our data. People need to understand to use password managers instead of reusing passwords, not to share the details of their personal lives, etc.
The gov't doesn't seem to care about these privacy abuses and failures, and until that changes, people need to take precautions to defend themselves.
Re: (Score:2)
"We're beyond any shadow of a doubt that we cannot trust *any* company with our data. People need to understand to use password managers instead of reusing passwords...."
So people should not trust *any* company with their data, but they should trust their passwords with a company?
Did you think this statement through?
Misdirection at its best...Go figure FaceBook (Score:2)
Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
So an entity can go ahead and be incompetent as long as any ongoing investigation has so far found no indication that employees have abused access to this data.?
Is that the issue anyway? FB should be sued. Victims should get some cash.
Old Habits Die Hard... (Score:3, Informative)
Didn't we already know this? (Score:5, Interesting)
People who actually see their spam (i.e. don't have fully automated filtering) have known that Facebook stores plaintext passwords, and that their database has been stolen, for quite some time.
I get about 10-20 (it varies) of the "I infected you with malware when you were jacking off to porn and recorded you jacking off" spams per day, where the spammer tells you an actual password that you used (for credibility when they claim they've compromised your machine), along with the email address that goes with that password. Among those, it's not unusual to see the address and the password that I had used for Facebook. Of course, there are plenty of others (I use a different email address and password for each website) but Facebook is definitely one of them.
For several months, I'm pretty sure it's been widely known by most email users (or at least the ones who occasionally glance at their spam) that Facebook got caught with their pants down.
(Or if not all email users who look at their spam knew this, at least it's the subset of us who always remember to install a user-facing camera and also install malware, whenever we're jacking off to porn. Maybe I should stop doing that.)
Re: (Score:3)
Re: (Score:2)
Unless you were really using some good long high entropy password like something use made with uuidgen or similar the fact the hackers have your plain text does not mean much. Anything less than that and someone could have easily cracked the hash. Even if its not a dictionary word and not made of dictionary words the hardware is out there now such that pretty much anything that isnt hashed with bcrypt or scrypt, not a dictionary word or variation with simple replacements, and not at least 15 chars is prob
Re: (Score:2)
I get those extortion e-mails but they never have a password in them. I've never had a facebook account, though. I got an e-mail threatening to send my Ashley Madison account details to my wife if I didn't pay. It would've been funny if they did - my wife already knew I had an Ashley Madison account, as did a lot of my co-workers. I bet they didn't even know my wife's e-mail address. It's not like they could have gotten it from Ashley Madison.
Allow me to comment their response (Score:3)
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.
Some? Hundreds of millions is some? Talk about understatement. But when you don't take security of your users, pardon, products serious, why worry?
This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
Maybe give spamhouse a heads-up, a mass mail that large might trigger a response otherwise...
To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.
So nobody but your couple thousands employees saw them and they have all been asked whether they abused them which they responded to with a resounding "no". Sounds legit.
We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
In other words, the blunder mostly affects products we give even less a shit about than the rest of you because they don't generate enough data points to be profitable anyway.
In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them.
So ... there are even worse security holes that we didn't even hear about yet? Admitting it proactively just in case someone stumbles upon them in the next couple days so you don't have to issue another "whoopsie, we fucked up" statement?
There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.
Because how are we supposed to sell data that anyone can access without paying for it?
Brilliant! (Score:2)
Password security (Score:2)
But when passwords are stored in plaintext, tR0b4dOr&3 isn't any safer than PASSWORD123
Actually, when stored in most other way, a simple letter substitution of "trobadors" + number isn't that much safe neither (still a dictionary word, will simply pop up a tiny bit later in the brute force attack, once the brute forcers start to probe a couple of substitutions).
Currently, the only password that are a bit safer are stuff that comes out of your /dev/random ( <- notice absence of "u") optionally piped through something like base64 to convert them into symbols considered acceptable by the webs
Re: (Score:2)
trobador wouldn't be in the English dictionary (troubador is). Maybe Catalan. Does your dictionary attack include Catalan?
Re: (Score:2)
They didn't store password in plain text for their authentication system's use. They saved it to logs. All it takes is one developer and a lack of code review to let this sneak in to any company, just like happened at Github last year.
Re: (Score:1)
Luckily it doesn't matter (Score:5, Funny)
This is interesting (Score:5, Informative)
For the past several weeks I (along with many other people) have been getting these scam emails saying that my password is a certain word and they're obviously logged into my account because they're sending me email from my own email address. (Which is stupid -- sender address has been trivial to spoof since email was invented, and that was neither the password for my email account nor ever the password to log into my workstation.). The spam then threatens to send all my contacts photos from my webcam (I don't have one) of me, um, enjoying myself to pr0n.
The password they always say they've captured was my very first facebook password. It's rather unique and I recognized it immediately.
So this pr0n scam... Is it an outsider scooping cleartext passwords and using them for spam, or is it someone at Facebook running a side business? Inquiring minds want to know.
Re:This is interesting (Score:5, Informative)
If you're not already doing it, you should check have i been pwned [haveibeenpwned.com] using common usernames/email addresses you've used to see all of the ways your info has been compromised.
You can sign up to get notified if your info shows up in future breaches.
Re: (Score:2)
Re: (Score:2)
Unique in this case meant I only ever used it for facebook.
Re: This is interesting (Score:2)
Former FB guy here (Score:3, Interesting)
How did they get the pw's in the first place? (Score:2)
Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.
So I am guessing that like where I work, we have some log tables/files where errors or debugging is performed from. And standard practice was not to encrypt prior to any other activity when it came to passwords. yea, ok.
Re: (Score:2)
EULA is oil (Score:2)
Facebook privacy statement "we store your data in safe ways"
Yet again - this isn't true. Passwords in plain text, giving data to others, psychology experiments on your timeline.
Half the crap in those documents is obviously not true. I will continue to provide fake information to them in my profile. I'm as honest as they are.
Yeah, so what? (Score:1)
Re: (Score:2)
Yes, they are allowed to do as they please and say what they want to who ever they want.
Facebook are also allowed to fire them too.
Ads needed to see content (Score:1)
Security services needed plain text.
Happens offline, too (Score:2)
I once signed up for a health insurance company, and when I got my first bill (in the mail, no less), they printed my online account password right on the bill in plain text, for my convenience.
Needless to say, I was not a customer for long.
LOL! (Score:1)