Facebook woes escalates as the tech giant continues to grapple with intense scrutiny about its privacy practices. The company has been under heavy criticism from various watchdogs and users in regards to its security practices and data scandals.
According to a report published on Thursday by cybersecurity journalist Brian Krebs, indicates that a security flow at Facebook’s internal server stored million’s of users account passwords in simple plain text without encryption hence exposing them to thousands of Facebook’s employees.
“The Facebook anonymous source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees,” KrebsOnSecurity wrote on its blog post.
Facebook’s Vice president of Engineering, Security and Privacy , Pedro Canahuati , through a blog post published on Thursday confirmed that indeed some users password were being stored in a readable format within its internal server.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
Facebook further adds that there’s no evidence that plain text passwords were exposed outside of the company or that they were abused internally.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”
The issue is said to have impacted hundreds of millions of Facebook Lite users and tens of thousand of Facebook users. The company further states that it will be sending out notification to all the affected users.
"We have fixed these issues and as a precaution we estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users whose passwords we have found were stored in this way" ”
Facebook further claims that the company has always adhered to the Standard encryption techniques which requires tech companies to encrypt passwords to prevent them from being stolen or by third parties.
“In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them. In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.”