By Jeff Horwitz and Robert McMillan
Facebook Inc. for years stored hundreds of millions of user
passwords in a format that was accessible to its employees, in yet
another privacy snafu for the social-media giant.
The incident disclosed by the company Thursday involved a wide
swath of its users, though Facebook said no passwords were exposed
externally, and it hasn't found evidence of the information being
abused.
Facebook estimated it will notify "hundreds of millions of
Facebook Lite users, tens of millions of other Facebook users, and
tens of thousands of Instagram users," the company's vice president
of engineering, security and privacy Pedro Canahuati said in a blog
post Thursday.
Facebook Lite is a stripped-down version of the product for use
by people without access to reliable internet service.
The security lapse appears similar to others that have occurred
at tech companies, including Twitter Inc., which asked 331 million
users to change their passwords in May after discovering that one
of its internal systems logged users' unencrypted passwords.
Because so many people reuse their passwords, they have emerged
as a major security problem for tech companies. Password databases
have become a prime target for cyber thieves, and hackers will
often try a user's stolen password to break into new sites. Most
companies, including Facebook, monitor the internet for publicly
released databases of passwords.
"Passwords are extremely sensitive data," said Deirdre K.
Mulligan, an associate professor at University of California
Berkeley, who specializes on data privacy. "If passwords are being
stored in the clear, accessible by thousands of employees, one can
only imagine how poorly other data is being managed," she said.
Facebook's data-security lapse attracted more attention than
similar stumbles elsewhere given persistent criticism of how the
company collects, stores and deploys its users' data.
It also contradicts at least some of the company's previous
assurances on the matter. In a 2014 post about password security,
Facebook's then-security engineer Chris Long wrote that "no one
here has your plain text password."
Facebook identified that it did log plain-text passwords as part
of a security review in January, Mr. Canahuati said.
During the review, Facebook has been looking for ways it stores
some information, such as access tokens, and have fixed problems as
they were discovered, he said. While Facebook will notify users
whose passwords were stored insecurely "as a precaution," there is
no current plan to require users to change their passwords.
The security lapse follows a data breach six months ago in which
Facebook said attackers managed to extract data such as name,
gender and hometown for around 50 million users. It also comes amid
a wide-ranging Federal Trade Commission review of Facebook's
privacy policies and handling of user data. Though that probe began
following a scandal over how political consulting firm Cambridge
Analytica obtained Facebook user data, Facebook has said it kept
the FTC abreast of other privacy and data-handling lapses.
Storing passwords in an encrypted format is "not just best
practice, it's something that industry should always do," said
Jennifer Granick, a lawyer with the American Civil Liberties Union.
"Facebook's failure to do that will really upset the FTC," she
said
The internal exposure of passwords was reported by
krebsonsecurity.com earlier Thursday. Citing an unnamed senior
Facebook executive, independent security researcher Brian Krebs
wrote that as many as 600 million passwords were exposed, with some
being improperly stored as far back as 2012. According to Mr.
Krebs's report, the files containing the passwords were accessible
to as many as 20,000 Facebook employees, and around 2,000 company
developers and engineers interacted with the system that contained
them.
Facebook's post disclosing that it had logged the plain-text
passwords came after a company source grew impatient waiting for
the company to acknowledge the problem on its own and contacted Mr.
Krebs.
"My source did seem to be concerned that Facebook was going to
delay disclosing this as long as it could," Mr. Krebs told the
Journal in an email.
Facebook's hashing algorithm, known internally as "the onion,"
is made up of a series of cryptographic techniques that evolved
over time and are used internally to obfuscate data such as user
passwords. Mr. Canahuati's post didn't explain why a vast quantity
of login information had not been treated in that fashion in this
instance, and Facebook didn't respond to a request for additional
information about what purpose the logged data served.
The risk of mistakes like Facebook's are greater within large
companies because teams of engineers are often working on unrelated
projects with different goals, said Chris Vickery, a security
researcher for Upguard.
"This was logs of the passwords arriving, data in transit," Mr.
Vickery said. "Whoever designed the logging system didn't have
passwords in mind. Whoever designed the database that stored
passwords probably didn't know this existed."
Even if no users were harmed by the mistake, Mr. Vickery said,
the sloppiness in handling user data is "another example of bad
data governance as a culture at Facebook."
Facebook has been under fire for much of the past year over
data-security issues and concerns over how it monitors the
platform. Even against that backdrop, the past week has been a
difficult one for the Menlo Park, Calif., company. Last week the
company's chief product officer and the head of its WhatsApp
division resigned unexpectedly, a move seen as reflective of
intense debate within the company over its direction.
This week the company has had to answer questions about its
response to the video of the Christchurch, New Zealand shooting,
which was live-streamed on Facebook and remained on the site for
half an hour after a user brought it to the company's attention.
The company also announced the settlement of a lawsuit alleging
that it had discriminated against some users by allowing housing,
employment and credit-related ads to be targeted according to
gender, age and ZIP Code. Facebook paid less than $5 million and
agreed to end the practice.
Aisha Al-Muslim
contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
March 22, 2019 06:07 ET (10:07 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Twitter (NYSE:TWTR)
Historical Stock Chart
From Feb 2024 to Mar 2024
Twitter (NYSE:TWTR)
Historical Stock Chart
From Mar 2023 to Mar 2024