By Jeff Horwitz and Robert McMillan 

Facebook Inc. for years stored hundreds of millions of user passwords in a format that was accessible to its employees, in yet another privacy snafu for the social-media giant.

The incident disclosed by the company Thursday involved a wide swath of its users, though Facebook said no passwords were exposed externally, and it hasn't found evidence of the information being abused.

Facebook estimated it will notify "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users," the company's vice president of engineering, security and privacy Pedro Canahuati said in a blog post Thursday.

Facebook Lite is a stripped-down version of the product for use by people without access to reliable internet service.

The security lapse appears similar to others that have occurred at tech companies, including Twitter Inc., which asked 331 million users to change their passwords in May after discovering that one of its internal systems logged users' unencrypted passwords.

Because so many people reuse their passwords, they have emerged as a major security problem for tech companies. Password databases have become a prime target for cyber thieves, and hackers will often try a user's stolen password to break into new sites. Most companies, including Facebook, monitor the internet for publicly released databases of passwords.

"Passwords are extremely sensitive data," said Deirdre K. Mulligan, an associate professor at University of California Berkeley, who specializes on data privacy. "If passwords are being stored in the clear, accessible by thousands of employees, one can only imagine how poorly other data is being managed," she said.

Facebook's data-security lapse attracted more attention than similar stumbles elsewhere given persistent criticism of how the company collects, stores and deploys its users' data.

It also contradicts at least some of the company's previous assurances on the matter. In a 2014 post about password security, Facebook's then-security engineer Chris Long wrote that "no one here has your plain text password."

Facebook identified that it did log plain-text passwords as part of a security review in January, Mr. Canahuati said.

During the review, Facebook has been looking for ways it stores some information, such as access tokens, and have fixed problems as they were discovered, he said. While Facebook will notify users whose passwords were stored insecurely "as a precaution," there is no current plan to require users to change their passwords.

The security lapse follows a data breach six months ago in which Facebook said attackers managed to extract data such as name, gender and hometown for around 50 million users. It also comes amid a wide-ranging Federal Trade Commission review of Facebook's privacy policies and handling of user data. Though that probe began following a scandal over how political consulting firm Cambridge Analytica obtained Facebook user data, Facebook has said it kept the FTC abreast of other privacy and data-handling lapses.

Storing passwords in an encrypted format is "not just best practice, it's something that industry should always do," said Jennifer Granick, a lawyer with the American Civil Liberties Union. "Facebook's failure to do that will really upset the FTC," she said

The internal exposure of passwords was reported by krebsonsecurity.com earlier Thursday. Citing an unnamed senior Facebook executive, independent security researcher Brian Krebs wrote that as many as 600 million passwords were exposed, with some being improperly stored as far back as 2012. According to Mr. Krebs's report, the files containing the passwords were accessible to as many as 20,000 Facebook employees, and around 2,000 company developers and engineers interacted with the system that contained them.

Facebook's post disclosing that it had logged the plain-text passwords came after a company source grew impatient waiting for the company to acknowledge the problem on its own and contacted Mr. Krebs.

"My source did seem to be concerned that Facebook was going to delay disclosing this as long as it could," Mr. Krebs told the Journal in an email.

Facebook's hashing algorithm, known internally as "the onion," is made up of a series of cryptographic techniques that evolved over time and are used internally to obfuscate data such as user passwords. Mr. Canahuati's post didn't explain why a vast quantity of login information had not been treated in that fashion in this instance, and Facebook didn't respond to a request for additional information about what purpose the logged data served.

The risk of mistakes like Facebook's are greater within large companies because teams of engineers are often working on unrelated projects with different goals, said Chris Vickery, a security researcher for Upguard.

"This was logs of the passwords arriving, data in transit," Mr. Vickery said. "Whoever designed the logging system didn't have passwords in mind. Whoever designed the database that stored passwords probably didn't know this existed."

Even if no users were harmed by the mistake, Mr. Vickery said, the sloppiness in handling user data is "another example of bad data governance as a culture at Facebook."

Facebook has been under fire for much of the past year over data-security issues and concerns over how it monitors the platform. Even against that backdrop, the past week has been a difficult one for the Menlo Park, Calif., company. Last week the company's chief product officer and the head of its WhatsApp division resigned unexpectedly, a move seen as reflective of intense debate within the company over its direction.

This week the company has had to answer questions about its response to the video of the Christchurch, New Zealand shooting, which was live-streamed on Facebook and remained on the site for half an hour after a user brought it to the company's attention. The company also announced the settlement of a lawsuit alleging that it had discriminated against some users by allowing housing, employment and credit-related ads to be targeted according to gender, age and ZIP Code. Facebook paid less than $5 million and agreed to end the practice.

Aisha Al-Muslim

contributed to this article.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

 

(END) Dow Jones Newswires

March 22, 2019 06:07 ET (10:07 GMT)

Copyright (c) 2019 Dow Jones & Company, Inc.
Twitter (NYSE:TWTR)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more Twitter Charts.
Twitter (NYSE:TWTR)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more Twitter Charts.