Facebook confirmed on Thursday that it had kept “hundreds of millions” of user passwords in a “readable format”—meaning engineers and other employees with access to the company’s internal systems could see the actual plaintext passwords.
In a press release, the social network said that it discovered the misshap during a “routine security review in January.” News of the mistake was first reported by independent security journalist Brian Krebs.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Facebook wrote. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.”
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
Krebs’s reported that between 200 and 600 million people are affected, and that some passwords were found in archives dating back to 2012.
When reached for comment via email, a Facebook spokesperson referred us to its press release.
A current Facebook employee told Motherboard that "it sucks."
"Obviously we don’t store them in plaintext ‘normally,’" the employee, who has a technical role, told Motherboard. "Logged in plaintext in some unique weird cases we found and fixed and are talking about." Motherboard granted multiple sources in this story anonymity to speak more candidly about a security incident.
"It should’ve never happened," they said.
A former technical Facebook employee told Motherboard "My perspective is that this was unintentional."
"It sounds like a logging error. This class of issue, especially if historic, may take a long time to find,” they added. "If an [organization] is protecting access to user data, and an unexpected field is logged, it may not be easily discoverable for a long time since people aren’t handling raw data."
Another former Facebook employee told Motherboard "this specific case certainly wasn’t widely known. Would have been scandalous even internally. It would have gotten fixed the second someone found out about it."
Usually, companies keep passwords secure by hashing and salting them in their databases. These are two processes that encode the passwords in a way that makes it hard to find out the real passwords even if someone steals the hashes. Facebook is not the only major company to have made such an embarrassing mistake. Recently, both GitHub and Twitter admitted having exposed passwords in plaintext within their systems.
If you’re worried about the security of your Facebook account, see our guide on how to check your Facebook account for suspicious activity.
Additional reporting by Joseph Cox.
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.