Facebook just can’t help itself at the moment when it comes to security mishaps. The latest one involves the discovery of hundreds of millions of user passwords that were listed as plain text for years, and potentially exposed them to anyone who had internal access at the company.
Krebs on Security made the concerning discovery, with the website noting that user passwords are normally protected by a process known as hashing, but in this case a series of errors resulted in some Facebook-branded apps from leaving password information accessible to the company’s employees.
The precise number of passwords is unknown, but it’s estimated to be anywhere between 200 million and 600 million. Since Krebs’ report, Facebook has acknowledged the issue, confirming via a blog post that the problem has been addressed.
The company also adds that an estimated 2 000 employees combed through the plain text passwords, although they do not disclose the precise reason why they did. As such it’s unclear whether that information was used by Facebook employees for any nefarious activities.
What is perhaps most concerning, however, is the fact that Facebook said it discovered the problem back in January already. Had Krebs or someone else not found the issue, would the firm have actually disclosed anything to the public?
If we’re going off of previous behaviour probably not, with Facebook routinely found to have made a security blunder, and then apologising, along with issuing the same response of trying to do better for its users.
“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” wrote Facebook’s VP of engineering, security and privacy, Pedro Canahuati, in the aforementioned blog post.
Facebook ended its blog post by stating that there is no need for users to reset their passwords as the issue has been fixed, but also state that those affected by the password flaw will be contacted by the firm.
As such it’s probably a good idea to reset your password regardless.