Plain Text Passwords
In a damning privacy revelation, Facebook admitted to storing “hundreds of millions” of account passwords in plain text — a flabbergasting breach with good data security practices.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” reads a post published today, written by Pedro Canahuati, Facebook’s VP Engineering, Security and Privacy.
“No Evidence” of Abuse
That news is especially grim for users who recycled old passwords across different sites. But the exact fallout of the mistake remains unclear.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati wrote.
The industry standard practice for storing sensitive information such as passwords or user account names is called “hashing,” meaning passwords are stored locally as a random set of characters, making it harder for hackers to make use of stolen credentials.
Facebook advised its users in the post to change their passwords for both Facebook and Instagram.
“Pick strong and complex passwords for all your accounts,” Canahuati wrote. “Password manager apps can help.”