Facebook Staff Had Access to Millions of People’s Passwords, so Maybe Change Yours Now

Facebook is making headlines yet again, and as you may suspect it’s not for good reasons. On Thursday, the beleaguered social media giant admitted it had improperly protected the passwords of millions of users, storing them in a database...

Facebook is making headlines yet again, and as you may suspect it’s not for good reasons. On Thursday, the beleaguered social media giant admitted it had improperly protected the passwords of millions of users, storing them in a database accessible by thousands of staff.

Facebook said it discovered the password snafu, which may have been ongoing since 2012, during a security review in January and immediately launched an investigation, according to a report by CNN. The slew of passwords were stored in plain text instead of encrypted, which exposed them to anyone who had access to the internal database. Thankfully, it doesn’t look like any employees abused their access.

The password issue extends to Instagram, which is owned by Facebook, but on a slightly smaller scale. Tens of thousands of Instagram passwords were included in the between 200 million and 600 million reported improperly stored passwords. No biggie. The social network said in a blog post that it fixed the issue and will be notifying users if their passwords were put at risk.

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Pedro Canahuati, one of Facebook’s vice presidents, said in the post, adding that the company usually “masks people’s passwords when they create an account so that no one at the company can see them.”

In short, it doesn’t appear that anyone at Facebook tried to log into user accounts with the passwords. They may, however, know now that you set your password to your embarrassing college nickname. Awkward. According to The Verge, at least 2,000 Facebook employees dug through the files containing passwords. It’s not clear, however, what they were looking for. Because the exposure was entirely internal, affected users won’t be required to reset their passwords, but can if they so choose (and probably should).

Facebook’s failure to properly store passwords was first revealed by Krebs on Security. The company addressed it shortly after, revealing that the majority of affected users were Facebook Lite users, while tens of millions of regular Facebook users were also impacted. Facebook Lite is a version of Facebook popular with users in parts of the world where connectivity is limited.

Hashing or encrypting passwords is a common cybersecurity practice. Passwords are intended to allow users to authenticate and confirm their identity with no one else’s knowledge. Some in the tech world believe Facebook’s inability to deliver on something widely considered to be “Security 101,” is a sign that the company is failing in other aspects.
“If they can’t get the basic principles of cyber security right, they are surely failing on the tougher challenges,” Marcus Carey, CEO of Threatcare in Austin, Texas, told CNN.

This password issue is just one in a series of issues attached to the company. When it comes to Facebook, perhaps it’s time to log off for good. At the very least, change your password (here's how).


Sign up here for our daily Thrillist email and subscribe here for our YouTube channel to get your fix of the best in food/drink/fun.
Caitlyn Hitt is Daria IRL. Don't take our word for it -- find her on Twitter @nyltiaccc.