Facebook: We stored hundreds of millions of your passwords in plain text

Facebook, Facebook Lite and Instagram passwords were stored in a 'readable format', with hundreds of millions of affected users expected to be notified.
Written by Steve Ranger, Global News Director

Facebook stored the passwords of hundreds of millions of its users in plain text inside its internal systems, the social media giant has revealed.

"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable," said Facebook's VP of engineering, security and privacy Pedro Canahuati in a blog post.

Canahuati said as a precaution Facebook will be notifying everyone whose passwords were stored in this way. Facebook said the passwords were never visible to anyone outside of the company and that it has found "no evidence to date" that anyone internally abused or improperly accessed them.

Facebook said it will have to notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.

In line with best security practices, Facebook said that in general it masks people's passwords when they create an account so that no one at the company can see them.

"In security terms, we 'hash' and 'salt' the passwords, including using a function called "scrypt" as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters," it said. 

"With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text."  

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

However in this case it is thought that the passwords may have been stored in parts of Facebook's systems if they had inadvertently became part of a crash or error log. This could have meant that passwords might have ended up in systems not designed to handle passwords, without the knowledge of the engineers working with that system.

Storing hundreds of millions of passwords in a readable format is another big embarrassment for the social media giant, which has already struggled with how to deal with its platform being used to spread fake news and disinformation, plus other companies harvesting data from its users' profiles and then passing it onto third parties.

Earlier this month its CEO Mark Zuckerberg tried to draw a line under these privacy rows by promising that the company would rebuild many of its services around encryption and privacy.

"I understand that many people don't think Facebook can or would even want to build this kind of privacy-focused platform – because frankly we don't currently have a strong reputation for building privacy protective services, and we've historically focused on tools for more open sharing," Zuckerberg wrote in the post at the time. 


Editorial standards