Facebook faces another major data breach, millions of passwords exposed to employees


    Not only is Facebook one of the most popular and recognised social media platforms across the world, but recent developments have also made it the most questionable, definitely in terms of data privacy. It has not been that long since Facebook was accused of a significant data breach. British consultancy firm Cambridge Analytica allegedly mined the personal data and used it to influence voters as part of Donald Trump’s 2016 presidential campaign.

    However, the California-based company yet again succumbed to a major breach in their security. As following a report by KrebsonSecurity, the passwords of 200 to 600 million users across three of its major platform including Facebook Lite and Instagram were stored in a plaintext format, with some accounts dating back all the way to 2012. If put simply, this means that a number of Facebook employees were able to search and accessed the passwords of the affected users.

    The magnanimity of the company and its user database has made it a major target for hackers, but the company’s reputation of holding its fort has been marred by the data breach in September 2018. Image courtesy: Getty Images

    The report, which also has inputs from a major source within the organisation, says that logs in the internal servers showed an estimate of 9 million queries were made by 2,000 Facebook developers and engineers to access data that contained these plaintext user passwords. “The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds of affected users. Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse,” the source said in the report. 

    Pedro Canahuati, Vice president of engineering, security, and privacy released a statement which called for calm and assured its users that neither the passwords were accessed by someone outside the organization structure, nor did anyone on the inside abuse or access them. “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” he said.

    “In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them,” said Pedro in his statement as he explained the algorithm followed by Facebook to crypt passwords. Image courtesy: Facebook

    The statement also said that the affected users will be notified about the breach. “In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them. There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” he added. 

    Twitter too has dealt with a plaintext password bug in May 2018, but it did not require people to change their passwords, along with the fact that the exposed passwords were available to a relatively smaller number of employees for a far shorter period of time. Usually, the norm of storing passwords is to scramble them using a cryptographic process called hashing. This makes the passwords safe even if there is unauthorized access. Whilst Facebook claims that the problem has been solved, such a small room for error makes the heavy investments to avoid security mishaps virtually negated.

    Further reading:

    Leave a Reply