SAN FRANCISCO — Facebook said Thursday that millions of user-account passwords had been stored insecurely, potentially allowing employees to gain access to people’s accounts without their knowledge.
The Silicon Valley company publicized the security failure around the same time that Brian Krebs, a cybersecurity writer, reported the password vulnerability. Krebs said an audit by Facebook had found that hundreds of millions of user passwords dating to 2012 were stored in a format known as plain text, which makes the passwords readable to more than 20,000 of the company’s employees.
Facebook said it had found no evidence of abuse and that it would begin alerting millions of its users and thousands of Instagram users about the issue. The company said it would not require people to reset their passwords.
The security failure is another embarrassment for Facebook, a $470 billion colossus that employs some of the most sought-after cybersecurity experts in the industry. It adds to a growing list of data scandals that have tarnished Facebook’s reputation over the last few years. Last year, amid revelations that a political-consulting firm improperly gained access to the data of millions, Facebook also revealed that an attack on its network had exposed the personal information of tens of millions of users.
In response, the company has repeatedly said it plans to improve how it safeguards people’s data.
“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” Pedro Canahuati, Facebook’s vice president of engineering in security and privacy, said in a blog post Thursday.
Here’s a rundown of what you need to know about the password vulnerability and what you can do.
What’s the problem?
Storing passwords in plain text is a poor security practice. It leaves passwords wide open to cyberattacks or potential employee abuse. A better security practice would have been to keep the passwords in a scrambled format that is indecipherable.
Facebook said it has not found evidence of abuse, but that does not mean it did not occur. Citing a Facebook insider, Krebs said access records revealed that 2,000 engineers or developers made 9 million queries for data that included plain-text user passwords.
A Facebook employee could have shared your password with someone else who would then have improper access to your account, for instance. Or an employee could have read your password and used it to log on to a different site where you used the same password. There are plenty of possibilities.
Ultimately, a company as large, rich and as well-staffed as Facebook should have known better.
How do I know whether someone had access to my account?
There’s no easy way to know. Facebook is still in the process of its investigation and will begin alerting people who might have had their passwords stored in the plain-text format.
What should I do?
Facebook is not requiring users to change their passwords, but you should do it anyway.
There are many methods for how to set strong passwords — for example, do not use the same password across multiple sites, and do not use your Social Security number as a username or a password. You can set up security features such as two-step verification as well.
There are a few other steps to take. I recommend also setting up your Facebook account to receive alerts in the event that an unrecognized device logs in to the account. To do so, go to your Facebook app settings, tap Security and Login, and then tap Get alerts about unrecognized logins. From here, you can choose to receive the alerts via messages, email or notifications.
An audit of devices that are logged in to your account may also be in order, so that you know what laptops, phones and other gadgets are already accessing your account. On Facebook’s Security and Login page, under the tab labeled “Where You’re Logged in,” you can see a list of devices that are signed into your account, as well as their locations.
If you see an unfamiliar gadget or a device signed in from an odd location, you can click the “Remove” button to boot the device out of your account.