Facebook admits storing millions of user passwords in plain text files for years

Thousands of Facebook employees may have had access to people's Facebook and Instagram passwords

Anthony Cuthbertson
Thursday 21 March 2019 17:12 GMT
Comments
30 million Facebook accounts have been stolen

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Facebook stored hundreds of millions of user passwords in plain text files, the social network has admitted.

The error was revealed in a blog post that detailed how passwords had been stored in a readable format within its internal data storage systems.

Pedro Canahuati, Facebook's vice president of engineering, security and privacy, said the passwords were visible to Facebook employees, potentially meaning thousands of people had access to people's private accounts.

He claimed there was no evidence anyone abused or improperly accessed them and that Facebook is in the process of notifying affected users.

"We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users," Mr Canahuati wrote.

"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook."

A spokesperson for Facebook was not immediately available for comment.

Security experts were quick to criticise Facebook, in what is just the latest in a series of high-profile incidents involving its users' data.

"Passwords in a flat file for anyone to read?! Are you kidding me? Give me a break! Everyone, including Facebook, have tech debt and security debt that piles up. But that's not an excuse any longer," Sam Curry, chief security officer at security firm Cybereason, told The Independent.

"Facebook is starting to look like critical social infrastructure, where there responsibility is to the public. It's past time to go back and clean the skeletons out of the closets.

"How can we trust this platform to get bigger and get more connected under the hood if they can't do the basis blocking and tackling right? Facebook needs a security strategy for the 21st century not the 20th century. "

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in