Facebook is once again making headlines after the company discovered it had been storing hundreds of millions of users passwords in plain text for years.
The company says its currently investigating the situation, but said in January it discovered some users passwords had been stored in a readable format within its internal data storage systems, according to a March 21 blog post.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” wrote Facebook Vice President of
Engineering, Security and Privacy Pedro Canahuati. “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
Canahuati explained that the passwords were never visible to anyone outside the company and that there is no evidence that they were internally abused or improperly accessed at the moment.
“Unfortunately, such undocumented ‘features, are quite widespread in large technology companies,” said High-Tech Bridge CEO Ilia Kolochenko. “Frequently, there is no malicious intent or negligence, but rather an internal “hack” to better resolve some issues or conduct testing.”
Kolochenko said that “shadow data and its usage are virtually uncontrollable, and even now it would be premature to conclude that the [Facebook] issue is fully remediated – numerous backups, including custom backups made by employees, may still exist in different and unknown locations.”
Tim Buntel, VP of Application Security Products, Threat Stack said the revelation that Facebook stored millions of plain-text passwords on an unencrypted internal server is indicative of some of the challenges commonly found in large organizations where simple security tasks can be overlooked or ignored.
“It’s important to consider where data will be stored, how it will be secured, and if that protection is risk appropriate at all stages of the development and operations lifecycle,” Buntel said. “The lesson here is to prioritize security observability, so organizations can easily identify vulnerabilities and misconfigurations like this.”
Thycotic Chief Information Security Officer Terence Jackson questioned was the flaw an acceptable risk.
“Assuming they are following a SSDLC, this should have definitely been a core protection built into the system,” Jackson said. “Because there is no evidence that anyone external to Facebook had access to the un-encrypted passwords is not reassuring.”
Jackson added that as a Facebook user, he questions why would an internal employee need access to his un-encrypted password and said that ultimately it’s still up to the consumer to govern data shared with services like these. This won’t be the last of Facebook’s issues, he added.
The social media giant has been under fire by politicians and privacy advocates alike. Most recently Sen. Elizabeth Warren, D-Mass., called for the break up of big tech companies including Facebook to promote privacy and competition
The criticism against Facebook in particular alleges the company has purchased all of its competitors such as Instagram and WhatsApp, severely limiting competition in its space. The company is also reportedly under a criminal probe for data sharing practices with “partners” including more than 150 companies.
A number of scandals have been reported in just the short period after Facebook CEO Mark Zuckerberg made a commitment to pivot his platform toward privacy over the next few years.
But users likely will have to bear some of the onus for countering privacy violations and breaches. Noting that issues like the latest Facebook privacy flub “are very time-consuming to discover even with an external audit,” Kolochenko said, “when dealing with large technology companies be well prepared to understand that they know everything about you and [internally] may handle this data differently from what their policy or terms of services say.”