Facebook on Thursday said it had for years stored millions of user passwords in plain text, a significant oversight for a company that remains in the spotlight for failing to protect users' privacy. A Facebook executive said in a post that the un-encrypted passwords were stored on internal servers and were not accessible to outsiders.
Despite such reassurances, privacy experts were quick to express concern: "Security rule 101 dictates that under no circumstances passwords should be stored in plain text, and at all times must be encrypted," said cybersecurity expert Andrei Barysevich of Recorded Future. "There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users' passwords in plain text."
The security blog KrebsOnSecurity said some 600 million Facebook users may have had their passwords stored in plain text. Facebook said it would likely notify "hundreds of millions" of Facebook Lite users, millions of Facebook users and tens of thousands of Instagram users of the issue.
Facebook said it discovered the problem in January. But according to Krebs, in some cases the passwords had been stored in plain text since 2012. Facebook Lite launched in 2015 and Facebook bought Instagram in 2012.
Barysevich said he could not recall any major company caught leaving so many passwords exposed internally. He said he's seen a number of instances where much smaller organizations made such information readily available not just to programmers but also to customer support teams.
Security experts recommend using a tool like HaveIBeenPwned to check if a password has been compromised. Some also recommend using a password manager to regularly update complex passwords.