Hardly does a month go by without Facebook getting in the news. Its either a security bug, security breach, or other privacy related issue. Last week, Facebook family of apps and other services relying on Facebook went down due to a configuration bug... as claimed by the social networking giant.
The latest security issues uncovered shows that the social giant stores between 200 to 600 million passwords of Facebook users in plain text and does not apply any form of encryption.
According to Krebs on Security, Facebook has been storing unencrypted Facebook users passwords in plain text on internal company servers. This dates back to as far as 2012.
The security researcher explained that his source who is anonymous said that about 200 to 600 million Facebook users passwords were stored in plain text, and could be accessed by more than 20,000 Facebook staffs.
While Facebook has claimed that there isn't any indication that any of the passwords were abused, the source added that about 2,000 developers had made 9 million queries against the logs, which the returning data contained these plain text passwords.
"We've not found any cases so far in our investigation where someone was looking intentionally for passwords, or have we found signs of misuse of this data," Scott Renfro, a software engineer at Facebook told Krebs. "In this situation what we've found is these passwords were inadvertently logged but there was no actual risk that's come from this. We want to make sure we're reserving those steps and only force a password change in cases where there's definitely been signs of abuse."
The Facebook software engineer told Krebs that the issue was first discovered in January 2019 when security engineers reviewing some new code noticed that passwords were being inadvertently logged in plain text.
"This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening," Scott Renfro told Krebs. "We have a bunch of controls in place to try to mitigate these problems, and we're in the process of investigating long-term infrastructure changes to prevent this going forward. We're now reviewing any logs we have to see if there has been abuse or other access to that data."
Krebs source said that Facebook in its later statements will choose to intentionally reduce the numbers as low as possible by counting only some certain sources of data.
"The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds" (of affected users), the source told Krebs on Security. "Right now they're working on an effort to reduce that number even more by only counting things we currently have in our data warehouse."
Facebook has, presumably, in response to Krebs post, issued a statement about general security password, explaining in abstract that a security breach has occurred though it didn't detail it. The statement focused on how Facebook users can enhance and improve their security.....which has nothing to do with this security breach in the first place!