The passwords of hundreds of millions of Facebook users were left freely accessible to thousands of Facebook employees after being stored in plain text. According to the social network, it identified the problem as part of a ‘routine’ security check in January and has since fixed the issues.
Security researcher Brian Krebs was the one to break the news about Facebook’s latest data protection mishap – which, this time round, saw somewhere between 200m and 600m Facebook users have their passwords open to over 20,000 employees.
The passwords never became visible to anyone outside of Facebook’s workforce and the company hasn’t found any evidence to suggest that any of its staff took advantage of the password data. Nonetheless Facebook is notifying “hundreds of millions of Facebook Lite users, tens of millions of other Facebook user, and tens of thousands of Instagram users,” as per Pedro Canahuati, the tech giant’s VP of engineering, security and privacy.
In normal circumstances, Facebook masks people’s passwords when the create an account, so that no one at the company or otherwise can see them.
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Facebook software engineer Scott Renfro told Krebs. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”