Safely buried under yesterday’s avalanche of Mueller report news, Facebook quietly updated its announcement from last month about its massive password breach to acknowledge that it had subsequently discovered millions more Instagram account passwords being stored in cleartext on its servers. Yet, in place of public outrage or policymaker interventions, it is unlikely that Facebook will face any consequences for its actions. The unfortunate truth is that the public has become so inured to cybersecurity breaches that what was once front page news worthy of congressional hearings is now simply viewed as a routine fact of life online that we wearily accept.
When the first half of Facebook’s latest password saga broke last month, the company acknowledged that up to half a billion users' passwords had been stored in plain text on its servers and accessible to more than 20,000 employees, of which 2,000 made more than 9 million searches accessing those passwords going back to 2012. Even worse, the company had known about the breach for more than three months and only publicly acknowledged it after a whistleblower leaked details to a security blog.
In the latest twist to the story, Facebook conceded yesterday that millions more Instagram user passwords had been found in cleartext on its servers, raising the total number of breached accounts even further.
In a tacit acknowledgement that the passwords users thought were being securely stored had in fact been in widespread circulation and access across Facebook, the company was careful to state that the passwords had merely not been “internally abused” or “improperly accessed.”
Facebook’s choice of the contorted language “not internally abused” suggests access to the passwords was far more widespread than initially disclosed, raising grave concerns about the company’s security stance.
Perhaps most remarkable of all is that the company’s cybersecurity stance is so nonexistent that it could be freely streaming, archiving, searching and internally publishing potentially more than half a billion users’ passwords for seven years without ever detecting such a gaping security hole.
To have half a billion passwords freely floating around a company through developer logs paints a portrait of a company still being run as a security-lax startup focused on growth and ease of development, rather than an internet behemoth to which a quarter of the earth’s population entrusts their most intimate communications and personal information.
Security-conscious companies perform relentless audits of every piece of code that interacts in even the most peripheral way with authentication credentials. They also continuously scan their log archives, tracking databases and every other touchpoint through which credentials might be inadvertently stored.
The fact that Facebook appears to be doing none of this makes it an outlier among its internet peers in how it views the safety and security of its two billion users.
The company did not respond to a request for comment on when it learned of the latest expansion of the breach and why it believes users should still trust it.
Most importantly, despite repeated requests for comment over the years as to whether it would permit an independent external top-down security audit of its entire technical infrastructure, the company has remained silent. It is clear the company’s own security professionals are incapable of securing its infrastructure, but the company’s refusal to commit to external review and assistance reminds us that things are unlikely to get any better.
Yet, the simple fact of the matter is that we simply don’t care anymore about Facebook breaching our security, safety, privacy or trust.
Those are outdated concepts that no longer have any meaning in a digital world in which billion-user breaches are no longer worthy of front page headlines and congressional inquiries.
In fact, even the media has stopped talking about privacy while we’ve stopped searching about it.
We just don’t care anymore.
Putting this all together, we live in an online world today in which breaches are merely considered the cost of accessing the internet or merely existing in modern society.
Rather than reacting with an uproar to each new breach of our safety and trust, we simply wearily accept that such quaint historical protections no longer apply.
In the end, the simple and unfortunate truth is that Facebook no longer has any reason to protect our privacy or safety because we’ve already told it in the aftermath of breach after breach that we just don’t care. No one is leaving the platform despite all of its privacy failures and security breaches, while its redefinition of GDPR to fit its own business interests show us that the European Union is unwilling to take genuine action against a company so intrinsic to modern life.
It seems we really don’t care about cybersecurity anymore.
