BY NOW, IT’S difficult to summarize all of Facebook’s privacy, misuse, and security missteps in one neat description. It just got even harder: On Thursday, following a report by Krebs on Security, Facebook acknowledged a bug in its password management systems that caused hundreds of millions of user passwords for Facebook, Facebook Lite, and Instagram to be stored as plaintext in an internal platform.
This means that thousands of Facebook employees could have searched for and found them. Krebs reports that the passwords stretched back to those created in 2012. Organizations can store account passwords securely by scrambling them with a cryptographic process known as hashing before saving them to their servers. This way, even if someone compromises those passwords, they won’t be able to read them, and a computer would find it difficult—even functionally impossible—to unscramble them.
As a prominent company with billions of users, Facebook knows that it would be a jackpot for hackers, and invests heavily to avoid the liability and embarrassment of security mishaps. Unfortunately, though, one open window negates all the padlocks, bolts, and booby traps money can buy.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy wrote in a statement.
“Our login systems are designed to mask passwords using techniques that make them unreadable. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”