Hard on the heels of CEO Mark Zuckerberg’s lengthy Facebook post that the social network was doubling down on privacy and ensuring users’ data remains safe, Facebook faces yet more negative publicity. KrebsOnSecurity recently announced that an internal investigation has found between 200-600 million Facebook user passwords stored in insecure plaintext format. Meaning any of Facebook’s 20,000 employees had access.
The announcement by KrebsOnSecurity did not come as a surprise to Facebook, however. “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Facebook said. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way.”
After the KrebsOnSecurity announcement, Facebook was quick to add that there is no evidence anyone outside their company viewed the passwords, nor was there any indication of improper access by its employees. Facebook’s VP of engineering, security, and privacy Pedro Canahuati said in his post regarding this latest issue that the company will be notifying “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” to let them know that their passwords were part of the batch stored as plain text.
Whether you receive the notification or not, change your Facebook password ASAP. Instagram and WhatsApp as well.