Security lapse the latest privacy issue for the social-media giant

The company identified the issue as part of a routine security review in January.

Source: Jeff Horwitz and Robert McMillan

Facebook Inc. for years stored hundreds of millions of user passwords in a format that was accessible to its employees, in yet another privacy snafu for the social-media giant.

The incident disclosed by the company Thursday involved a wide swath of its users, though Facebook said no passwords were exposed externally, and it hasn’t found evidence of the information being abused.

Facebook estimated it will notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company’s vice president of engineering, security and privacy Pedro Canahuati said in a blog post Thursday.

Facebook Lite is a stripped-down version of the product for use by people without access to reliable internet service.

The security lapse appears similar to others that have occurred at tech companies, including Twitter Inc., which asked 331 million users to change their passwords in May after discovering that one of its internal systems logged users’ unencrypted passwords.

Because so many people reuse their passwords, they have emerged as a major security problem for tech companies. Password databases have become a prime target for cyber thieves, and hackers will often try a user’s stolen password to break into new sites. Most companies, including Facebook, monitor the internet for publicly released databases of passwords.

“Passwords are extremely sensitive data,” said Deirdre K. Mulligan, an associate professor at University of California Berkeley, who specializes on data privacy. “If passwords are being stored in the clear, accessible by thousands of employees, one can only imagine how poorly other data is being managed,” she said.

Facebook’s data-security lapse attracted more attention than similar stumbles elsewhere given persistent criticism of how the company collects, stores and deploys its users’ data.

It also contradicts at least some of the company’s previous assurances on the matter. In a 2014 post about password security, Facebook’s then-security engineer Chris Long wrote that “no one here has your plain text password.”

Facebook identified that it did log plain-text passwords as part of a security review in January, Mr. Canahuati said.

During the review, Facebook has been looking for ways it stores some information, such as access tokens, and have fixed problems as they were discovered, he said. While Facebook will notify users whose passwords were stored insecurely “as a precaution,” there is no current plan to require users to change their passwords.

Full Story