Facebook says it has fixed readable password flaw
News will heighten security concerns surrounding platform
Facebook faces increasing pressure over the privacy and security of users’ information following a string of scandals, including the Cambridge Analytica data sharing revelations last year.
Facebook improperly stored hundreds of millions of its users’ passwords internally in a readable format, the company said on Thursday, in a revelation that will further heighten concerns about the privacy of its users’ information.
The world’s largest social network said in a blog post that during a routine review in January it had found the flaw in its internal data storage systems, adding that the company had now fixed the issue.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Pedro Canahuati, vice-president of engineering, security and privacy, said.
Mr Canahuati’s post was published shortly after a blog by cyber security journalist Brian Krebs first reported on the incident, citing a Facebook source who said that the account passwords of between 200 million and 600 million users may have been searchable by more than 20,000 Facebook employees. Krebs claimed that some of these passwords were available in plain text as far back as 2012.
Mr Canahuati said that Facebook had found “no evidence to date that anyone internally abused or improperly accessed them” or that anyone outside of Facebook had viewed the passwords.
However he said that the company would be notifying the users affected “as a precaution”. He estimated this included hundreds of millions of users of Facebook Lite, a version of the platform used by people in regions with limited internet connections, plus tens of millions of other Facebook users and tens of thousands of users of Instagram, its photo-sharing app.
String of scandals
News of the major security flaw comes as Facebook faces increasing pressure from the public and regulators over the privacy and security of users’ information following a string of scandals, including the Cambridge Analytica data sharing revelations last year. In the US, the company is in settlement negotiations with the Federal Trade Commission, whose investigation into privacy violations could result in a record fine.
It is unclear whether the latest incident represents a breach of the EU’s new data protection regulations, known as the General Data Protection Regulation, or GDPR. The Irish Data Protection Commissioner, which oversees compliance with GDPR, said in a statement: “Facebook have been in contact and have informed us of this issue. We are currently seeking further information.”
Facebook said on Thursday that in the course of its routine security review, it had been “looking at the ways we store certain other categories of information” including another kind of key known as access tokens, adding that it had “fixed problems as we’ve discovered them”.
The company is having a bruising month. Last week, it suffered the longest mass outage of its apps in its history, and it also emerged this month that prosecutors in New York had opened a criminal investigation into its historic data-sharing partnerships with other big technology companies. – Copyright The Financial Times Limited 2019