Facebook Screws Up Again

Another day, another Facebook privacy scandal.

This time around, a "senior Facebook employee" has informed security expert Brian Krebs that Facebook has been storing the passwords of "hundreds of millions" of Facebook (and Instagram) users in plain text (aka unencrypted). This is a fundamental security error that no company should ever make, yet it's been a pretty common occurrence for tech companies where security and privacy are commonly seen as an afterthought. According to Krebs, the passwords were accessible to around 20,000 Facebook employees for the better part of the last decade:

"The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords."

On the "plus side," this latest scandal is slightly less terrible than past scandals like the Cambridge Analytica fracas. In those instances, the scandals made it clear Facebook routinely viewed consumer privacy as a distant afterthought as it looked to monetize every brain fart of its userbase. In this case, insiders told Motherboard that this does appear to have been a bug, and that the majority of Facebook passwords are usually encrypted:

"A current Facebook employee told Motherboard that "it sucks."

"Obviously we don't store them in plaintext 'normally,'" the employee, who has a technical role, told Motherboard. "Logged in plaintext in some unique weird cases we found and fixed and are talking about." Motherboard granted multiple sources in this story anonymity to speak more candidly about a security incident.

"It should've never happened," they said.

Still, given Facebook's resources and the volume of security talent they have on staff, the fact that it happened at all is grossly embarrassing. The scandal comes right on the heels of Facebook's other recent scandals -- like its cavalier sharing of user health and real estate data -- and is only compounding a scandal-ridden 2018 for the company. Krebs stated that as many as 600 million of the company's 2.7 billion users could be affected by the company's latest screw up, though, thus far, Facebook has yet to notify any of the impacted users.

Facebook was quick to issue a blog post amusingly entitled "keeping passwords secure," before confirming that Facebook failed to do precisely that. Throughout the post Facebook's Pedro Canahuati downplays the scope of the threat, while remaining somewhat murky on how many people were actually impacted:

"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity."

Given that this data was available to 20,000 employees over a period of roughly seven years, the claim that they've found "no evidence" of abuse should be of cold comfort. The company, meanwhile, continued to insist that consumer privacy is among its top priorities:

"In the course of our review, we have been looking at the ways we store certain other categories of information - like access tokens - and have fixed problems as we've discovered them. There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook."

At this point it's fundamentally obvious that has never actually been true. And while that may be true now that the company is staring at looming regulation and mammoth fines all around the globe, at this point Facebook would need to be able to go a week without a major privacy scandal before any sentient being would take those claims at face value. In the interim, if you're not using a decent password manager and unique passwords on every website you visit, you might just want to get on that.