Facebook stored millions of user passwords unencrypted

Facebook password breach exposes 200+ million people
Image: Facebook

Facebook, the Jerry Gergich of social media, has once again angered the public with its data handling practices. However, this new controversy doesn’t involve the company giving advertisers or third-party companies access to the public’s personally identifiable information. Now, the firm is being criticized for storing “hundreds of millions” of user passwords in plaintext on its internal servers.

The company’s potentially massive data exposure was disclosed by Krebs on Security on March 21. A source within Facebook contacted the site to reveal the shocking results of a recent security audit. The company’s network allegedly logged the unencrypted password data of between 200 and 600 million people.

An internal investigation revealed more than 20,000 Facebook employees had access to the passwords. Even worse, the insider claimed around 2,000 company engineers and developers accessed the unprotected credentials 9 million times.

Manage your supply chain from home with Sourcengine

How Did This Happen?

Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy, told Wired the vulnerability was the result of a few different cross-platform software failures.

The biggest bug involved Facebook Lite, a mobile app that lets users access a stripped-down version of Facebook. The program was launched in 2015 and is popular in regions of the world with low data connectivity, such as Southeast Asia and South America.

Facebook implemented a proxy server to make the Lite app usable in low data bandwidth areas. One function of the proxy server is storing individual credentials for use on other Facebook products. Unfortunately, it didn’t encrypt people’s passwords when doing so.

Accordingly, the Facebook Lite bug left hundreds of millions of customers credentials vulnerable to outside manipulation. Additionally, two other Facebook network bugs cause similar problems on other platforms.

When functioning properly, classic Facebook’s internal architecture should have rendered the passwords unrecognizable with data hashing encryption at login. Instead, Canahuati noted tens of millions of Facebook users had their passwords insecurely stored going back to 2012. Several thousand Instagram users had their data logged in the same way.

Facebook claims it thoroughly examined the unprotected credentials for signs of outside access or internal exploitation and found none. That declaration would’ve been more reassuring had the social network not suffered a massive data breach in October 2018.

What Happens Next?

In its password vulnerability press release, Facebook detailed the methods it uses to protect user credentials. However, it did not address how those measures failed to protect 26 percent of the company’s 2.3 billion monthly active users. The firm also listed three well-known data security best practices without addressing the fact that two of the three wouldn’t have protected users from the login bug.

The corporation hasn’t even said how many people had their data affected by its network bug.

As with Facebook’s disregard for privacy and inability to properly moderate harmful content, the company seems woefully out of touch with consumer expectations. Whether it’s due to indifference, indecision, or incompetence, the firm just can’t seem to put its best foot forward.

With a possible multibillion-dollar Federal Trade Commission fine looming and new federal charges being a possibility, the Silicon Valley giant is in a precarious position right now. The brand should be trying to reassure consumers of its utility and positive aspects. Instead, it just keeps providing the world with reasons why it would be better off without Facebook.