A new report from Krebs On Security has revealed that Facebook stored the account passwords of hundreds of millions of users in plain text and they were easily searchable by thousands of its own employees in some cases going back to 2012.
According to a senior employee familiar with the investigation, the social networking giant is currently probing a series of security failures in which employees wrote applications that logged unencrypted password data for Facebook users and stored this information in plain text on internal company servers.
So far, the investigation has discovered that between 200m and 600m Facebook users may have had their account passwords stored on its servers and searchable by over 20,000 employees.
The company is still trying to determine exactly how many passwords were exposed and for how long but archives with plain text user passwords have been discovered that date back to 2012.
Plain text passwords
Access logs at Facebook show that around 2,000 engineers or developers made nine million internal queries for data elements that contained plain text user passwords.
Software engineer at Facebook, Scott Renfro provided further insight into the ongoing investigation to Krebs On Security in an interview, saying:
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
Affected users will not have to change their passwords as they were not leaked outside of the company, though Facebook is preparing to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”.