Clearly Facebook stored hundreds of millions of passwords unencrypted on server

Security researcher Brian Krebs reported on his blog that 'Facebook stores hundreds of millions of account passwords on the server as

plain text .' The data on the server is accessible to at least 20,000 Facebook employees, and according to the access log, it is possible that about 2,000 engineers have accessed the information. In addition, Facebook admits this fact.

Facebook Books Hundreds of Millions of User Passwords in Plain Text for Years — Krebs on Security

Facebook admits it stored 'hundreds of millions' of account passwords in plaintext | TechCrunch

It has become clear that Facebook has saved hundreds of millions of user account passwords in plain text, unencrypted, so that thousands of Facebook employees can retrieve that data. Facebook has acknowledged this fact, but after conducting an independent survey, it is stated that 'Employees have found no evidence of misuse of password information.'

According to media reports, it seems that Facebook employees have built an application that logs user account password information and stores the data as plain text on a company server. Facebook is also researching the case independently, and an anonymous Facebook senior employee who is familiar with the research has given Krebs a detailed account of the incident.

According to a source, the number of users who stored passwords in plain text is estimated to be 200 to 600 million, and at least 20,000 Facebook employees can search for password information. About. Facebook is investigating for details, but at the time of writing, it was clear that in 2012 the password was already stored in plaintext. Also, in the access log of the application that stored the password in plain text, about 2000 engineers and developers executed about 9 million internal queries on data elements including the user password. It has been recorded.

by Con Karampelas

Krebs interviewed Scott Renfro, a software engineer on Facebook. Among them, Renfro says that he is not ready to talk about specific numbers, such as the number of Facebook employees who may have access to the data. According to Renfro, Facebook is planning to warn users of potential security breaches, but there is no need to reset passwords.

'No evidence that someone was intentionally searching for a password was found in our previous surveys, and there was no indication that the data was misused. What we found is that passwords are incorrectly logged We believe that there is no risk of this fact, and we only ask you to change your password if you find signs that it has been abused, ”said Renfro. You In addition, Facebook is notifying the security media and Krebs on Security operated by Mr. Kerbs to urge a password change to 'millions of Facebook Lite users, tens of millions of other Facebook users, tens of thousands of Instagram users'. I will explain to send.

According to Renfro, it was in January 2019 that the password was stored in plain text, and a security engineer who was checking the new code found the problem. “This has put a small task force on the team in an effort to check out where problems are likely to occur. A series of controls are in place to mitigate the problems. We are looking into long-term infrastructure changes to prevent problems, and we are also reviewing the necessary logs to see if there has been unauthorized use of data or other access. '

in Web Service,   Security, Posted by logu_ii