Facebook stored millions of passwords unprotected

Originally Published: April 1, 2019 Last Updated: April 1, 2019

In March 2019, Facebook admitted it had mistakenly stored stored "hundreds of millions" of passwords of Facebook and Instagram users in plaintext on multiple internal systems accessible only to Facebook engineers, dating as far back as 2012.

  • According to security reporter Brian Krebs, who cited a “senior Facebook insider”, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords."
  • Kenn White, a security engineer and director of Open Crypto Audit Project questioned why Facebook retained logs that included sensitive data for so long and why it was unaware of its contents.
  • Facebook's vice-president of engineering, security, and privacy said, "Our login systems are designed to mask passwords using techniques that make them unreadable. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them."
  • Canahauti said that Facebook has corrected the password logging bug, and the company would notify all users that their password may have been exposed. The company does not intend to reset those users' passwords.