Facebook left millions of passwords readable by employees
that neither Facebook nor any other outsider can read.
The fact that the company couldn’t manage to do something as simple as encrypting passwords, however, raises questions about its ability to manage more complex encryption issues — such in messaging — flawlessly.
Facebook said it discovered the problem in January. But security researcher Brian Krebs wrote that in some cases the passwords had been stored in plain text since 2012. Facebook Lite launched in 2015 and Facebook bought Instagram in 2012.
The problem, according to Facebook, wasn’t due to a single bug. During a routine review in January, it say, it found that the plain text passwords were unintentionally captured and stored in its internal storage systems. This happened in a variety of circumstances — for example, when an app crashed and the resulting crash log included a captured password.
But Alex Holden, the founder of Hold Security, said Facebook’s explanation is not an excuse for sloppy security practices that allowed so many passwords to be exposed internally.
Recorded Future’s Barysevich said he could not recall any major company caught leaving so many passwords exposed.
He said he’s seen a number of instances where much smaller organizations made such information readily available — not just to programmers but also to customer support teams.