Skip to main content

International Business Facebook did not securely store passwords. Here’s what you need to know

Facebook said on Thursday that millions of user account passwords had been stored insecurely, potentially allowing employees to gain access to people’s accounts without their knowledge.

The Silicon Valley company publicized the security failure around the same time that Brian Krebs, a cybersecurity writer, reported the password vulnerability. Krebs said an audit by Facebook had found that hundreds of millions of user passwords dating to 2012 were stored in a format known as plain text, which makes the passwords readable to more than 20,000 of the company’s employees.

Facebook said it had found no evidence of abuse and that it would begin alerting millions of its users and thousands of Instagram users about the issue. The company said it would not require people to reset their passwords.

Story continues below advertisement

The security failure is another embarrassment for Facebook, a $470-billion colossus that employs some of the most sought-after cybersecurity experts in the industry. It adds to a growing list of data scandals that have tarnished Facebook’s reputation over the last few years. Last year, amid revelations that a political consulting firm improperly gained access to the data of millions, Facebook also revealed that an attack on its network had exposed the personal information of tens of millions of users.

In response, the company has repeatedly said it plans to improve how it safeguards people’s data.

“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” Pedro Canahuati, Facebook’s vice president of engineering in security and privacy, said in a blog post on Thursday.

Here’s a rundown of what you need to know about the password vulnerability and what you can do.

What’s the problem?

Storing passwords in plain text is a poor security practice. It leaves passwords wide open to cyberattacks or potential employee abuse. A better security practice would have been to keep the passwords in an encrypted format, which would have scrambled the data so no one could decipher the passwords without a key.

Facebook said it has not found evidence of abuse, but that does not mean it did not occur. Citing a Facebook insider, Krebs said access records revealed that 2,000 engineers or developers made 9 million queries for data that included plain-text user passwords.

Story continues below advertisement

A Facebook employee could have shared your password with someone else who would then have improper access to your account, for instance. Or an employee could have read your password and used it to log on to a different site where you used the same password. There are plenty of possibilities.

Ultimately, a company as large, rich and as well-staffed as Facebook should have known better.

How do I know whether someone had access my account?

There’s no easy way to know. Facebook is still in the process of its investigation and will begin alerting people who might have had their passwords stored in the plain text format.

What should I do?

Facebook is not requiring users to change their passwords, but you should do it anyway.

Story continues below advertisement

There are many methods for how to set strong passwords – for example, do not use the same password across multiple sites, and do not use your Social Security number as a username or a password. You can set up security features such as two-step verification as well.

There are a few other steps to take. I recommend also setting up your Facebook account to receive alerts in the event that an unrecognized device logs in to the account. To do so, go to your Facebook app settings, tap Security and Login, and then tap Get alerts about unrecognized logins. From here, you can choose to receive the alerts via messages, email or notifications.

An audit of devices that are logged in to your account may also be in order, so that you know what laptops, phones and other gadgets are already accessing your account. On Facebook’s Security and Login page, under the tab labeled “Where You’re Logged in,” you can see a list of devices that are signed into your account, as well as their locations.

If you see an unfamiliar gadget or a device signed in from an odd location, you can click the “Remove” button to boot the device out of your account.

Report an error
Tickers mentioned in this story
Unchecking box will stop auto data updates
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter