At this point in time it is difficult to summarize all of Facebook's integrity, abuse and security errors in a nice description. And it just became more difficult. On Thursday, after a report by Krebs on Security, Facebook acknowledged an error in their password management systems that caused hundreds of millions of user charges for Facebook, Facebook Lite and Instagram to be stored as plain text on an internal platform. That means thousands of Facebook employees could have been looking for and finding them. Krebs reports that the passwords stretched back to those that were created in 2012.
Organizations can safely store the account passwords by shrinking them with a cryptographic process called hashing before being saved on their servers. In this way, even if someone compromises these passwords, they will not be able to read them, and a computer would be difficult ̵
"As part of a routine security audit in January, we found that some user passwords were stored in a readable format within our internal data storage system," said Pedro Canahuati, Facebook's vice president of technology, security, and privacy in a statement. "Our login systems are designed to mask passwords using techniques that make them unreadable. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence that anyone internally abused or mistakenly reached them."  Canahuati says Facebook has now corrected the password log file, and that the company will announce hundreds of millions of Facebook Lite users, tens of millions of Facebook users and tens of thousands of Instagram users that their passwords may have been compromised. Facebook does not plan to reset users' passwords.
"In some ways it is the most sensitive data they hold, because it is untreated and uncontrolled."
Kenn White, Open Crypto Audit Project
For such a prominent goal, Facebook has had relatively few technical security errors, and in this case it does not seem to have been compromised. But the company's track record was severely damaged by a crime in September where the attacks stole extensive data from 30 million users by compromising their account access tools authentication markers generated when a user logs on.
The offense indirectly helped Facebook discover the allegiance of plaintext passwords and the errors that made them stay there; The incident motivated a security review that fell away. "During our review, we looked at how we store some other categories of information-like access tokens and have problems that we've discovered them," wrote Canahuati.
"It's good that they" are proactive, "said Lukasz Olejnik, an independent cyber security advisor and research assistant at the Center for Technology and Global Affairs at Oxford University." But this is a big deal. It seems they found the problem during a review so perhaps their previous mistakes plus new privacy rules make these controls more standard. "
Facebook told WIRED that the vulnerable payers were not all stored in one place, and that the problem was not due to a single one. Instead, the company had inadvertently and incidentally caught simple text passwords over a number of internal mechanisms and storage systems, such as crash logs. Facebook says that the problem's spread character made it more complicated to understand and fix, which the company says, they explain almost two months as It required to complete the investigation and reveal the results.
A company working on the huge scale of Facebook needs to maintain network traffic logs to better understand and track errors, accidents, and other events that may occur. Those logs will inevitably drag on what network data happen to be Float with that Facebook caught password in that process is meaningful; The question is why Facebook kept logs containing sensitive data for so long and why the company was obviously unaware of the content.
"The data captured as part of troubleshooting and operating on the network scales they do is not uncommon, says Kenn White, a security engineer and head of the Open Crypto Audit Project." But if Facebook keeps it for several years, it awakens many questions about their architecture. They have an obligation to protect these troubleshooting logs and review and understand what they keep. In some ways, it is the most sensitive information they hold, as it is untreated and unmanaged. "
Twitter dealt with a very similar text in password logs at the end of May; it did not require users to reset their passwords and said that there was no reason to believe that the passwords were actually broken. Likewise, Facebook says its investigation has not revealed some signs that some intentional access to their hundreds of millions of ridiculous passwords to steal them, but if you get a password message from Facebook or not, you might as well go ahead and change it only if that's the case.
on the Facebook desktop, go to Settings → Security and login → Change password On Facebook for iOS and Android, go to Settings and privacy → Settings → Security and login → Change password . On Facebook Lite for Android, go to Settings → Security and Login → Change Password . change your password on either Facebook or Facebook Lite changes it for both.
On Instagram, go to Settings → Privacy and Security → Password to change your password. Instagram and Facebook do not use the same password, but can be linked to log in one with the other.
And when you're at it, the easiest way to keep track of and manage your passwords is to easily change them after incidents like this is to create a password manager. Join now.
Facebook says that the problem of plaintext passwords is now resolved and that it does not believe that there will be long-term consequences of the event, because the passwords have never been stolen. But given the company's obviously endless stream of gaffes, it's hard to know what's coming next.
"I understand they are working on a scary scale," White says. "But this is the crown jewels there."
More Major WIRED Stories