Adding to the series of problems of security in Facebook, the social media platform on March 21, Thursday, admitted that millions of users' passwords were stored in plain text for years and could have been read by anyone working in the company.
The bug was unearthed during a security review in January and was reported by Brian Krebs, a cybersecurity writer. Facebook, in a blog post, explained the situation and said that they have fixed the bug. They also said that they will notify those whose passwords were stored in plain text.
Around 600 million passwords were stored this way. This is almost one-fifth of the total 2.7 billion users on the social networking platform.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity," Pedro Canahuati, VP Engineering, Security and Privacy, said in the blog on Wednesday.
Canahuati added that while the passwords did not go public, over 2,000 engineers and developers had access to the data. He assured that Facebook would notify the Lite users, who were ones majorly at risk in the situation. Tens of thousands of Instagram users will also be notified. However, Facebook did not say how the bug managed to enter their system.
Usually, passwords stored on the databases will not be stored in plain text and can't be read. Facebook and other companies would salt and hash the passwords to scramble them. According to Techcrunch, this will help with the company to verify the password without knowing them.
"In line with security best practices, Facebook masks people's passwords when they create an account so that no one at the company can see them. In security terms, we "hash" and "salt" the passwords, including using a function called "scrypt" as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text," Canahuati said.
Facebook listed the ways in which they have made various signals which will help detect any suspicious activity. Canahuati explained "For example, even if a password is entered correctly, we will treat it differently if we detect that it is being entered from an unrecognized device or from an unusual location. When we see a suspicious login attempt, we'll ask an additional verification question to prove that the person is the real account owner."
