Facebook workers had access to user passwords
When it comes to Facebook and security, it seems there is one potentially damaging lapse after another.
The latest was uncovered by the KrebsOnSecurity security news site, flagging hundreds of millions of Facebook users who had their account passwords stored in plain text that could be searched by more than 20,000 Facebook employees – in some cases dating to 2012.
The author of the report, Brian Krebs, says Facebook told him that none of the employees, to the company’s knowledge, abused the data.
Facebook later admitted as much publicly, in a newsroom blog posted by Pedro Canahuati, vice president of engineering for security and privacy
“We have fixed these issues, and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” he wrote. The issue first came to light in January. “To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati continued. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
Citing an unnamed senior Facebook employee as the source, Krebs says the social network is probing the causes of a series of security failures in which employees built applications that logged the unencrypted password data. While Facebook claims none of the passwords were exposed externally, it points users to settings where you can change your passwords.