Facebook Says Millions of Users' Passwords Were Improperly Stored in Internal Systems -- 2nd Update
March 21 2019 - 3:13PM
Dow Jones News
By Aisha Al-Muslim
Facebook Inc. stored hundreds of millions of user passwords in a
format that was accessible to its employees, in yet another privacy
snafu for the social-media giant.
Facebook estimated it will notify hundreds of millions of
Facebook Lite users, tens of millions of other Facebook users, and
tens of thousands of Instagram users, the company's vice president
of engineering, security and privacy Pedro Canahuati said in a blog
post Thursday.
Mr. Canahuati said the company has fixed these issues and that
"no passwords were exposed externally and we didn't find any
evidence of abuse to date."
Facebook Lite is a stripped-down version of the product for use
by people without access to reliable internet service.
The internal exposure of passwords was reported by
krebsonsecurity.com earlier Thursday. Citing an unnamed senior
Facebook executive, independent security researcher Brian Krebs
wrote that as many as 600 million passwords were exposed, with some
being improperly stored as far back as 2012. According to Mr.
Krebs's report, the files containing the passwords were accessible
to as many as 20,000 Facebook employees, and around 2,000 company
developers and engineers interacted with the system that contained
them.
Facebook identified the issue as part of a routine security
review in January, Mr. Canahuati said.
During the review, Facebook has been looking for ways it stores
some information, such as access tokens, and have fixed problems as
they were discovered, he said. While Facebook will notify users
whose passwords were stored insecurely "as a precaution," there is
no current plan to require users to change their passwords.
Facebook's login systems are designed to mask passwords, Mr.
Canahuati said, converting them into a scrambled cipher in a way
that cannot be undone. His post didn't explain why a vast quantity
of login information had not been treated in that fashion in this
instance.
The security lapse follows a data breach six months ago in which
Facebook said attackers managed to extract data such as name,
gender and hometown for around 50 million users. It also comes amid
a wide-ranging Federal Trade Commission review of Facebook's
privacy policies and handling of user data. Though that probe began
following a scandal over how political consulting firm Cambridge
Analytica obtained Facebook user data, Facebook has said it kept
the FTC abreast of other privacy and data-handling lapses.
Write to Aisha Al-Muslim at aisha.al-muslim@wsj.com
(END) Dow Jones Newswires
March 21, 2019 14:58 ET (18:58 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Mar 2024 to Apr 2024
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Apr 2023 to Apr 2024