Facebook finds more plain-text passwords

April 23, 2019 | 10:47

Tags: #breach #data-breach #insecurity #pedro-canahuati #plain-text-passwords #security #social-networking

Companies: #facebook #instagram

Social networking giant Facebook has admitted that it badly underestimated the number of users' passwords it had stored in plain text, admitting that rather than 'tens of thousands of Instagram users' the gaffe affected 'millions of Instagram users.'

In one of the more boneheaded of Facebook's recent privacy debacles, which have included a security breach estimated at 50 million accounts, data-gathering mobile apps published in a way to bypass the approval system of Android and iOS app stores, and capturing users' contacts by demanding they hand over login details for third-party email services, Facebook admitted last month that it had been storing hundreds of millions of users' credentials in a plain-text file accessible by staff members. From this wealth of passwords, the company claimed, 'tens of thousands' of accounts were related to the Facebook-owned image-sharing service Instagram.

Late last week, though, the company confessed that it had badly underestimated the scope of the problem. In an update to the official blog post announcing the issue, still embarrassingly entitled 'Keeping Passwords Secure,' Facebook's vice president for engineering, security, and privacy Pedro Canahuati admits: 'Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.'

The company has still not explained why the passwords were being logged in the first place, nor why said logs were accessible to staff. Canahuati has said that 'our login systems are designed to mask passwords using techniques that make them unreadable,' but without offering any details of said 'masking' nor its failure in this instance.

The declaration comes shortly after Facebook found itself branded a group of 'digital gangsters' in a scathing report published by the UK Government in February.

Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04