Coverage: Facebook passwords were improperly stored

Facebook Inc. for years stored hundreds of millions of user passwords in a format that was accessible to its employees, in yet another privacy snafu for the social-media giant.

Jeff Horwitz and Robert McMillan of The Wall Street Journal had the news:

The incident disclosed by the company Thursday involved a wide swath of its users, though Facebook said no passwords were exposed externally, and it hasn’t found evidence of the information being abused.

Facebook estimated it will notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company’s vice president of engineering, security and privacy Pedro Canahuati said in a blog post Thursday.

Facebook Lite is a stripped-down version of the product for use by people without access to reliable internet service.

The security lapse appears similar to others that have occurred at tech companies, including Twitter Inc., which asked 331 million users to change their passwords in May after discovering that one of its internal systems logged users’ unencrypted passwords.

Barbara Ortutay and Frank Bajak of The Associated Press reported that the issue raises broader questions:

The fact that the company couldn’t manage to do something as simple as encrypting passwords, however, raises questions about its ability to manage more complex encryption issues — such in messaging — flawlessly.

Facebook said it discovered the problem in January. But security researcher Brian Krebs wrote that in some cases the passwords had been stored in plain text since 2012. Facebook Lite launched in 2015 and Facebook bought Instagram in 2012.

The problem, according to Facebook, wasn’t due to a single bug. During a routine review in January, it say, it found that the plain text passwords were unintentionally captured and stored in its internal storage systems. This happened in a variety of circumstances — for example, when an app crashed and the resulting crash log included a captured password.

Edward C. Baig of USA Today reported that Facebook is probing the reason:

Citing an unnamed senior Facebook employee as the source, Krebs says the social network is probing the causes of a series of security failures in which employees built applications that logged the unencrypted password data, which apparently numbers between 200 million and 600 million.

Facebook has been a magnet for disturbing news the past couple of years, leaving some people to break up with the service for good and placing CEO Mark Zuckerberg on the hot seat.

Last week, The New York Times reported Facebook’s data practices were under criminal investigation. And Facebook has been riddled by scandals ranging from Cambridge Analytica and fake news to the court documents that revealed youngsters and their parents were duped into spending money on online games earlier this decade.

Krebs told USA TODAY that “Facebook’s motto has long been ‘move fast, break things,’ and this situation seems to be one unfortunate manifestation of that mantra. It’s easy to see how a Facebook engineer or developer might enable password logging for a short period of time – to troubleshoot a specific problem, for example. But it’s also easy for that developer to forget to undo that logging.”