Facebook left ‘hundreds of millions’ of users’ passwords stored in plain text

Facebook said it would notify users of its namesake social network, and of its photo-sharing site Instagram, that they had been affected.
(Loic Venance / AFP/Getty Images)
Washington Post

Facebook Inc. said Thursday that it had left “hundreds of millions” of users’ passwords exposed in plain text, potentially visible to the company’s employees, marking another major privacy and security headache for a tech giant already under fire for mishandling people’s personal information.

Facebook said it believed the passwords were not visible to anyone outside the company, and had no evidence that its employees “internally abused or improperly accessed them” — but said it would notify users of its namesake social network, and of its photo-sharing site Instagram, that they had been affected.

The incident was first revealed by the Krebs on Security blog, which said the problem began in 2012 and estimated that the total number of affected users ranged between 200 million and 600 million. Facebook declined Thursday to confirm the estimate.

The revelation adds to a litany of recent privacy and security mishaps at Facebook, some of which have triggered investigations in the United States and European Union and could carry the risk of steep fines and other punishments.


Like most companies, Facebook said it stores passwords in a way that’s supposed to make them unreadable using a technique called hashing. But a January security review, detailed in a blog post Thursday, found they were actually stored in a readable format. Facebook said it has since fixed the problem. It said that most affected were users of Facebook Lite, a stripped-down version of the social network that’s largely in use in countries with lower internet connection speeds.

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Pedro Canahuati, the company’s vice president of engineering, security and privacy, said in the blog post. “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”

During its review, Canahuati said, Facebook also looked at its other security practices, including its use of “access tokens,” which is how third-party apps identify a Facebook a user and can access one’s profile information. He said Facebook had “fixed problems as we’ve discovered them,” but the company did not immediately comment on other security mishaps it identified.

In September, Facebook acknowledged that hackers had stolen information that may have enabled them to access 50 million user accounts. It logged out 90 million users from their accounts because of the security incident, which allowed hackers to access profile information including users’ names and genders.


Separately, in the wake of last week’s terror attack in New Zealand, Facebook said early Thursday that it would reexamine how it reacts to live and recently aired videos.

The first user to alert Facebook to grisly footage of the deadly attack on two mosques in Christchurch, New Zealand, clocked in 29 minutes after the video began and 12 minutes after it ended. Had it been flagged while the feed was live, Facebook said, the social network might have moved faster to remove it.

Facebook says it prioritizes user reports of a livestream for “accelerated review” — a more immediate look by moderators — so first responders can be alerted about an emergency as quickly as possible.

But this expedited review process applies to recently live videos only if they are flagged for suicide, it said. Other types of recently live videos, such as the mass shooting in New Zealand, are not covered by this expedited review.


Facebook said this may change.

“We are reexamining our reporting logic and experiences for both live and recently live videos in order to expand the categories that would get to accelerated review,” it said.