Categories: Media Moves

Coverage: Facebook passwords were improperly stored

Facebook Inc. for years stored hundreds of millions of user passwords in a format that was accessible to its employees, in yet another privacy snafu for the social-media giant.

Jeff Horwitz and Robert McMillan of The Wall Street Journal had the news:

The incident disclosed by the company Thursday involved a wide swath of its users, though Facebook said no passwords were exposed externally, and it hasn’t found evidence of the information being abused.

Facebook estimated it will notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company’s vice president of engineering, security and privacy Pedro Canahuati said in a blog post Thursday.

Facebook Lite is a stripped-down version of the product for use by people without access to reliable internet service.

The security lapse appears similar to others that have occurred at tech companies, including Twitter Inc., which asked 331 million users to change their passwords in May after discovering that one of its internal systems logged users’ unencrypted passwords.

Barbara Ortutay and Frank Bajak of The Associated Press reported that the issue raises broader questions:

The fact that the company couldn’t manage to do something as simple as encrypting passwords, however, raises questions about its ability to manage more complex encryption issues — such in messaging — flawlessly.

The problem, according to Facebook, wasn’t due to a single bug. During a routine review in January, it say, it found that the plain text passwords were unintentionally captured and stored in its internal storage systems. This happened in a variety of circumstances — for example, when an app crashed and the resulting crash log included a captured password.

Edward C. Baig of USA Today reported that Facebook is probing the reason:

Citing an unnamed senior Facebook employee as the source, Krebs says the social network is probing the causes of a series of security failures in which employees built applications that logged the unencrypted password data, which apparently numbers between 200 million and 600 million.

Facebook has been a magnet for disturbing news the past couple of years, leaving some people to break up with the service for good and placing CEO Mark Zuckerberg on the hot seat.

Last week, The New York Times reported Facebook’s data practices were under criminal investigation. And Facebook has been riddled by scandals ranging from Cambridge Analytica and fake news to the court documents that revealed youngsters and their parents were duped into spending money on online games earlier this decade.

Krebs told USA TODAY that “Facebook’s motto has long been ‘move fast, break things,’ and this situation seems to be one unfortunate manifestation of that mantra. It’s easy to see how a Facebook engineer or developer might enable password logging for a short period of time – to troubleshoot a specific problem, for example. But it’s also easy for that developer to forget to undo that logging.”

Chris Roush

Chris Roush was the dean of the School of Communications at Quinnipiac University in Hamden, Connecticut. He was previously Walter E. Hussman Sr. Distinguished Professor in business journalism at UNC-Chapel Hill. He is a former business journalist for Bloomberg News, Businessweek, The Atlanta Journal-Constitution, The Tampa Tribune and the Sarasota Herald-Tribune. He is the author of the leading business reporting textbook "Show me the Money: Writing Business and Economics Stories for Mass Communication" and "Thinking Things Over," a biography of former Wall Street Journal editor Vermont Royster.

Recent Posts

Bloomberg Industry Group hires Mays as investigative reporter

Bloomberg Industry Group has hired Mackenzie Mays as an investigative reporter. Mays currently covers state government and…

20 hours ago

WSJ seeks a senior video journalist

The Wall Street Journal is seeking a senior video journalist to join its Features video…

2 days ago

PCWorld executive editor Ung dies at 58

PCWorld executive editor Gordon Mah Ung, a tireless journalist we once described as a founding father…

4 days ago

CNBC taps Sullivan as “Power Lunch” co-anchor

CNBC senior vice president Dan Colarusso sent out the following on Monday: Before this year comes to…

5 days ago

Business Insider hires Brooks as standards editor

Business Insider editor in chief Jamie Heller sent out the following on Monday: I'm excited to share…

5 days ago

Is this the end of CoinDesk as we know it?

Former CoinDesk editorial staffer Michael McSweeney writes about the recent happenings at the cryptocurrency news site, where…

6 days ago