Hundreds of millions of Facebook user passwords were inadvertently stored in plain text on the company’s internal systems in another high-profile and embarrassing privacy incident for the social media giant.
The revelation came in the same week that court filings revealed Facebook had potentially been aware of the Cambridge Analytica scandal earlier than it had previously claimed.
In a blog post last week, Facebook vice-president of engineering, security and privacy Pedro Canahuati revealed that a routine security review in January had found that a number of user passwords were being stored internally in a “readable format”, accessible by Facebook employees.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Canahuati said in the post.
Facebook will now be notifying all users that had their passwords stored in plain text, and is estimating that hundreds of millions of Facebook Lite users will be notified, tens of millions of Facebook users and tens of thousands of Instagram users.
Under its normal procedures, Facebook masks user passwords when they create an account so no employees can view them.
“In security terms, we ‘hash’ and ‘salt’ the passwords, including using a function called ‘scrypt’ as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters,” Canahuati said.
“With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.”
Facebook did not reveal how the passwords came to be stored in plain text, but said there was no evidence they had been accessed by anyone within the company.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the blog post said.
Despite this, the company is still recommending that users change their password, use different and complex passwords across services and enable two-factor authentication.
Facebook’s bad week was made even worse with reports that it was aware of the Cambridge Analytica scandal much earlier than when it was first reported in the media in 2018.
It was revealed by The Guardian that political marketing firm Cambridge Analytica had accessed the data of up to 87 million Facebook users through the “improper sharing” of data between the company and an app developer.
Facebook founder Mark Zuckerberg had said the company was only made aware of the controversy after it was covered in the media, but a court filing by the attorney-general for Washington DC paints a different picture.
The attorney-general is suing Facebook over the Cambridge Analytica scandal. In a statement rejecting the tech company’s attempt to have the case dismissed and for the documents to be sealed, the attorney-general claimed it had documents showing Facebook had known about the data sharing practices earlier than it had claimed.
“The document contains candid employee assessments that multiple third-party applications accessed and sold consumer data in violation of Facebook’s policies during the 2016 US presidential election,” the filing said.
“It also indicates Facebook knew of Cambridge Analytica’s improper data gathering practices months before news outlets reported on the issue.”
A Facebook spokesperson rejected the accusation, saying that employees were aware of rumours relating to the firm, but these were related to a “different incident” than the story reported first by The Guardian.
“In September 2015 employees heard speculation that Cambridge Analytica was scraping data, something that is unfortunately common for any internet service,” the spokesperson said.
“In December 2015, we first learned through media reports that [app developer] Kogan sold data to Cambridge Analytica, and we took action. Those were two different things.”