Facebook was apparently keeping millions upon millions of usernames and passwords stored in a plaintext accessible to employees according to every news outlet under the sun today.
You might want to change your password as a little bit of a precaution.
Oh and it doesn’t just impact Facebook, but Instagram as well (and Facebook Lite, for that matter).
Further, reports indicate that the issue went all the way back to the year 2012. Facebook’s vice president of engineering and security, Pedro Canahuati, wrote in a blog post: “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems…Our login systems are designed to mask passwords using techniques that make them unreadable. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”
A review of security after a lapse revealed the plaintext username and password issue. As soon as it was discovered, the company began to put necessary changes into place.
The Center for Technology and Global Affairs at Oxford University’s Lukasz Olejnik thinks this is a pretty big deal from a web security standpoint, commenting, “It’s good that they’re being proactive…But this is a big deal. It seems like they found the issue during an audit so maybe their past mistakes plus new privacy regulations are making these checks more standard.”
Security engineer and director of the Open Crypto Audit Project, Kenn White, explained the entire thing from a systems point of a view, saying “But if Facebook retains that for years it raises a lot of questions about their architecture. They have an obligation to protect these debug logs and audit and understand what they’re retaining. In some ways that’s the most sensitive data they hold, because it’s raw and unmanaged.”