The powers-that-be are still busy busting Apple over monopolistic practices. It will take years. The Facebook crimes are very minor in comparison.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Facebook Stored Hundreds of Millions Passwords in Plain Text, Thousands of Employees Had Access
- Thread starter MacRumors
- Start date
- Sort by reaction score
The powers-that-be are still busy busting Apple over monopolistic practices. It will take years. The Facebook crimes are very minor in comparison.
Unfortunately, there's no direct law for that yet as far as I know.
However, I totally agree, this should be punishable by a high fine for gross negligence in data security & privacy.
IANAL, but it may be possible to prosecute facebook under GDPR due to the employees having access to all those user profiles and thus any private conversation (since they have access to the passwords).
Facebook today announced that during a routine security review it discovered "some user passwords" were stored in a readable format within its internal data storage systems, accessible by employees.
As it turns out, "some user passwords" actually means hundreds of millions of passwords. A Facebook insider told KrebsOnSecurity that between 200 and 600 million Facebook users may have had their account passwords stored in plain text in a database accessible to 20,000 Facebook employees. Some Instagram passwords were also included, and Facebook claims many of the passwords came from Facebook Lite users.
Facebook says that there's no "evidence to date" that anyone within Facebook abused or improperly accessed the passwords, but KrebsOnSecurity's source says 2,000 engineers or developers made around nine million internal queries for data elements that contained plain text user passwords.
Facebook employees reportedly built applications that logged unencrypted password data, which is how the passwords were exposed. Facebook hasn't determined exactly how many passwords were stored in plain text, nor how long they were visible.
Facebook plans to notify users whose passwords were improperly stored, and the company says that it has been looking at the ways certain categories of information, such as access tokens, are stored, and correcting problems as they're found.
"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook," reads Facebook's blog post.
Facebook and Instagram users who are concerned about their account security should change their passwords, using unique passwords that are different from passwords used on other sites. Facebook also recommends users enable two-factor authentication.
Article Link: Facebook Stored Hundreds of Millions Passwords in Plain Text, Thousands of Employees Had Access
It is cleartext not plain text.
https://www.denimgroup.com/resources/blog/2007/10/cleartext-vs-pl/
If you store a password in a database, you would store it as either cleartext or ciphertext, usually in plain text, meaning the password is either encrypted or unencrypted, usually without formatting. Since while just sitting in a database it isn’t an input to an encryption algorithm, it is not plaintext.
...
One last important distinction to understand is that plaintext is not necessarily readable, as you could take the ciphertext from one algorithm, feed it to another (i.e., plaintext), and produce more ciphertext
Facebook is just a one big security risk. Either your data is being intentionally used to profile you or they are unintentionally leaking it or just failing to keep it secure. Oh, I almost forgot... there is always a good chance one of their partners goes “Camebridge Analytica” on you and sells your data to foreign power or something similar. Why an earth people give all that data to Facebook. Mark Zuckerberg knows, it’s because “people are dumb f*cks”.
The same goes for people using apple iCloud though. Large part of users do have their data directly on government servers, analysed and monitored near real time with social scoring and all....
Last edited:
Ah...the art of social networking *rolls eyes*
I think it doesn't really matter anmore about how serious a 'leak' it on FB anymore,when they sell it to advertisers anyway...
It just subverts it, and tries to say, FB is the only source, which it isn't
Evey time i see Mark's head explode,, it makes me laugh.
I think it doesn't really matter anmore about how serious a 'leak' it on FB anymore,when they sell it to advertisers anyway...
It just subverts it, and tries to say, FB is the only source, which it isn't
Consider my mind blown.
Evey time i see Mark's head explode,, it makes me laugh.
That's the reason for 2FA. Even if they have the Facebook password. It's not of too much use.
I would love to give up FB, but too many groups use FB as their primary mode of communication. Sports groups, school groups, etc. It's a quick and fast way of disseminating information. Not to mention smaller groups that might splinter off from a larger, traditional message board.
Almost all my my interaction on FB is within private groups, and I rarely post anything publicly, and if I do, I am aware of the risk of it being out there forever. I have friends (for instance photographers) who I have met on other boards who live all over the world, and we connect through FB. I am not sure what we would use as an alternative. Messaging doesn't easily allow for searching, specific threads regarding one subject.
I did change my password yesterday in light of this. But at present, I just don't see an alternative. Which is why FB will continue to get away with what it does.
Almost all my my interaction on FB is within private groups, and I rarely post anything publicly, and if I do, I am aware of the risk of it being out there forever. I have friends (for instance photographers) who I have met on other boards who live all over the world, and we connect through FB. I am not sure what we would use as an alternative. Messaging doesn't easily allow for searching, specific threads regarding one subject.
I did change my password yesterday in light of this. But at present, I just don't see an alternative. Which is why FB will continue to get away with what it does.
Actually, if the passwords are stored as plain text on the server side, 2FA will be useless to FB employees who want to view the passwords from inside. They just open their SQL database viewer and bam!—there they are. 2FA layers would only go into effect when accessing the database over the Web, as I understand it, since 2FA is a Web-enabled technology that is an added layer of protection for people accessing via their browser. Server-side database text, on the other hand, is generally stored in SQL tables and can be freely viewed by anyone who has internal access to the server behind the firewall.
Never held a FB account and neither has my wife, but this still bothers us. Somehow FB have managed to convince the regulators that is ok to harvest contact and other associated data stored on an FB user's device. I have no doubt that along the way numerous people have shared all my personal details with FB - this is wrong, especially for those with personal security concerns.
Hopefully this is an area where GDPR and the EU can explore. No company should have any of my details without my express permission. Even more so when it is a company I make efforts to avoid in any shape or form.
It is particularly concerning that politicians and world leaders are using FB services to communicate with each other on an informal basis. Zuk has the means, motive and opportunity to hold a good part of the planet to ransom.
Hopefully this is an area where GDPR and the EU can explore. No company should have any of my details without my express permission. Even more so when it is a company I make efforts to avoid in any shape or form.
It is particularly concerning that politicians and world leaders are using FB services to communicate with each other on an informal basis. Zuk has the means, motive and opportunity to hold a good part of the planet to ransom.
The more negative news that comes about for Facebook, the more I hope there is a mass exodus of people who delete their accounts. Facebook is a prime example of a company who has grown too big for their britches.
I anxiously await for the day that Facebook becomes as irrelevant as MySpace.
I anxiously await for the day that Facebook becomes as irrelevant as MySpace.
You are an absolute FOOL if you're still on this "service".
[doublepost=1553259711][/doublepost]
Zuk's going to be indicted for numerous things, you can put your house down on that.
[doublepost=1553259711][/doublepost]
Zuk's going to be indicted for numerous things, you can put your house down on that.
Saying "i don't have facebook" is the new version of "i don't watch TV". People think they are cool by saying that..
but it's just stupid, you can use smartly facebook for following artists, group of interest, messenger group for birthday, without having all your life, smartphone and apps connected on it. That's just stupid.
Like eveyrthing, it's about moderation. But meh
but it's just stupid, you can use smartly facebook for following artists, group of interest, messenger group for birthday, without having all your life, smartphone and apps connected on it. That's just stupid.
Like eveyrthing, it's about moderation. But meh
No WAY! A privacy issue with Facebook? Well, with a company this big, it had to happen some day,
GIF master at work. One of my prime reasons to be here is AngerDanger.Consider my mind blown.
Last edited:
This is not accurate. When the users enter their passwords in a web form for logging in, it briefly exists in clear text on the web servers. That is difficult to avoid in a secure way (client-side crypto in the browser using Javascript has its own security issues). That's where the erroneous logging apparently happened.
I'm sure that's what they store in their credential database.
If this happens to Facebook, imagine the current state of security in lesser-known companies. Tip of the iceberg.