Facebook is once again under the spotlight after admitting to exposing passwords belonging to hundreds of millions of users. It is the latest in a string of security incidents for the social network over the past year and comes as the firm is accused of abusing user data with a US criminal investigation underway.
What happened?
As part of a routine security review in January, Facebook found that user passwords were being stored in a readable format within its internal data storage systems. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” says Pedro Canahuati, VP engineering, security and privacy in a blog.
According to cybersecurity journalist Brian Krebs, the plaintext passwords had been searchable by Facebook employees in some cases since 2012. An anonymous Facebook employee told Krebs that the firm is probing a series of security failures after employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
The source told Krebs it could have impacted between 200 million and 600 million users, with this information potentially available to 20,000 Facebook employees.
The issue has now been fixed, says Canahuati. According to Canahuati, the passwords were never visible to anyone outside of Facebook and “we have found no evidence to date that anyone internally abused or improperly accessed them”.
Who is impacted?
Facebook says it will be notifying everyone whose passwords were stored in this way. And it’s not a small amount: Hundreds of millions could be affected, Canahuati says. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
If you are impacted, change your Facebook password straight away – and make sure you have enabled two-factor authentication as well.
What is Facebook doing now?
Facebook says it has been looking at the ways it stores certain other categories of information —such as access tokens — and has “fixed problems as [it] has discovered them”.
“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” Canahuati says.
He explains how the firm secures passwords: “In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them.”
It does this by using encryption. “In security terms, we ‘hash’ and ‘salt’ the passwords, including using a function called ‘scrypt’ as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters.
“With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text,” says Canahuati.
How to secure yourself on Facebook
This headline might provoke sniggers, and rightly so given Facebook’s track record for breaches and data leaks. It’s true that security on Facebook has not been great in the past: securing yourself while having a Facebook account can be somewhat challenging and some people have chosen to delete their accounts altogether.
But the firm does do things such as looking for logins from new devices and asking for verification if anything suspicious comes up. People can also sign up to receive alerts about unrecognized logins, and the firm keeps an eye on data breach announcements from other organizations and publicly posted databases of stolen credentials. It’ll then notify you next time you login and guide you through changing your password.
Facebook also introduced the ability to register a physical security key to your account, so the next time you log in, you can tap a small hardware device that goes in the USB drive of your computer.
Overall, password security is key. Do not use the same password across multiple sites and if you do, change your credentials now. Passwords need to be complex and unique: A line from a book or film is safer than repeating credentials cross sites. It might be hard to remember multiple passwords, but that’s why you can use a password manager such as LastPass, or 1Password to remember credentials for you.
Even if you haven’t been affected by this breach, it makes sense to change your password now. Facebook has been less than transparent in the past and having a suspicious mind can be helpful when it comes to protecting your data.
