Facebook had stored hundreds of millions of user passwords in plain text since 2012, meaning they could have easily been accessed and read by more than 20,000 of its employees.
The details: In a carefully worded statement, Facebook said it hadn’t found any evidence of abuse, but it promised to start alerting users about the issue. It said people would not need to reset their passwords (although some experts have advised they do so anyway).
You can also opt to receive notifications if an unfamiliar device logs into your account. It’s worth noting the leak was purely internal, so none of the passwords were exposed outside of Facebook’s walls.
Timing: Facebook announced the mishap yesterday in a blog post (innocuously titled “Keeping Passwords Secure”), roughly at the same time as cybersecurity researcher Brian Krebs reported it on his blog. However, Facebook originally found the issue back in January, which does make you wonder if the company would have reported it publicly if left to its own devices.
They just keep coming: This is yet another major embarrassment for Facebook, which spends vast sums of money employing top cybersecurity professionals. Storing passwords in plain text is a terrible practice from a security point of view, and you’d expect better from a company of Facebook’s size and wealth. It seems that not a week goes by without yet more bad news, from the fallout of the Cambridge Analytica scandal (a year ago last weekend) to the range of lawsuits it’s facing across the world.