Latest in Gear

Image credit: ASSOCIATED PRESS

Over 20,000 Facebook employees had access to 600 million user passwords

It will notify hundreds of millions of users after discovering credentials were stored in plain text.
3902 Shares
Share
Tweet
Share

Sponsored Links

ASSOCIATED PRESS

It's a day of the week ending in the letter "y," so it should come as little surprise there's news of another Facebook privacy transgression. The company says it found in January that some user passwords were stored in plain text on its servers. Facebook's systems are supposed to mask passwords, and it has since fixed the issue.

Facebook will alert all users whose passwords were stored in plain text, including hundreds of millions of users of Facebook Lite, a version of the social network designed for slow internet connections and low-specification phones, which is typically used in developing nations. It will also notify tens of millions of other Facebook users and tens of thousands of Instagrammers.

While the information could have proven disastrous if it had fallen into the wrong hands, Facebook says the login credentials were "never visible to anyone outside of Facebook." Pedro Canahuati, Facebook's vice-president of engineering, security and privacy, wrote that "we have found no evidence to date that anyone internally abused or improperly accessed" the passwords.

Facebook didn't reveal the full extent of the issue, though an anonymous senior Facebook employee told Krebs on Security up to 600 million passwords were stored in plain text, and suggested some credentials have been stored in this way since 2012. More than 20,000 employees were able to search the data, the employee said -- Facebook employed 35,587 people as of the end of 2018. Access logs reportedly show around 2,000 engineers or developers "made approximately nine million internal queries for data elements that contained plain text user passwords."

Facebook, of course, has had to deal with myriad privacy scandals in the recent past. Federal prosecutors are conducting a criminal investigation into the firm's data-sharing practices with other businesses. The company was also found to be using phone numbers users provided for security (including two-factor authentication) for other purposes, including ad tracking and making them searchable. Meanwhile, CEO Mark Zuckerberg this month revealed plans to transform Facebook into a privacy-focused network.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
3902 Shares
Share
Tweet
Share

Popular on Engadget

Peloton settles music licensing lawsuit over its exercise videos

Peloton settles music licensing lawsuit over its exercise videos

View
Spotify redesign makes it easier to play, favorite and download music

Spotify redesign makes it easier to play, favorite and download music

View
New Powerbeats wireless headphones appear to be on the way

New Powerbeats wireless headphones appear to be on the way

View
The latest Timex smartwatch has 25-day battery life

The latest Timex smartwatch has 25-day battery life

View
Is the Roku Ultra your favorite streaming device?

Is the Roku Ultra your favorite streaming device?

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr