Facebook apps logged users’ passwords in plaintext, because why not

by
Sean Gallagher
from Ars Technica - All content on (#4BJJ7)
fblite_hero-800x539.jpg

Enlarge / Facebook Lite users made up the majority of Facebook accounts exposed internally by plaintext password logging, according to a Facebook spokesperson.

Facebook has mined a lot of data about its users over the years-relationships, political leanings, and even phone call logs. And now it appears Facebook may have inadvertently extracted another bit of critical information: users' login credentials, stored unencrypted on Facebook's servers and accessible to Facebook employees.

Brian Krebs reports that hundreds of millions of Facebook users had their credentials logged in plain text by various applications written by Facebook employees. Those credentials were searched by about 2,000 Facebook engineers and developers more than 9 million times, according to a senior Facebook employee who spoke to Krebs; the employee asked to remain anonymous because they did not have permission to speak to the press on the matter.

In a blog post today, Facebook Vice President of Engineering, Security, and Privacy Pedro Canahuati wrote that the unencrypted passwords were found during "a routine security review in January" on Facebook's internal network data storage. "This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and, as a precaution, we will be notifying everyone whose passwords we have found were stored in this way."

Read 6 remaining paragraphs | Comments

index?i=LXaLhzzcTvQ:gsUcWLk_4sU:V_sGLiPB index?i=LXaLhzzcTvQ:gsUcWLk_4sU:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments