Facebook and Instagram used to store millions of passwords in plain text only. Change yours today

22. 3. 2019

Facebook announced today that a security review revealed serious flaws in password storage. This was in the database without encryption and accessible to employees.

In the official report, "a few passwords" turned out to be millions. An internal source from Facebook revealed to the KrebsOnSecurity server that it was something between 200 and 600 million user passwords. It was stored in plain text only, without any encryption.

In other words, any of the company's 20 employees could have access to the passwords of the user accounts by simply querying the database. Moreover, according to the information, it was not only the social network Facebook as such, but also Instagram. A significant number of these passwords came from users of Facebook Lite, a very popular client for slower Android smartphones.

However, Facebook adds in the same breath that there is no evidence that any of the employees misused the passwords in any way. However, an anonymous employee told KrebsOnSecurity that over two thousand engineers and developers worked with the given database and performed around nine million database queries on the password table in question.

Facebook recommends changing your password for Instagram as well

In the end, the whole incident came about because Facebook had an application internally programmed that intercepted unencrypted passwords. So far, however, it has not been possible to track down the exact number of passwords stored in such a dangerous manner, nor the time for which they were stored in the database in this way.

Facebook intends to gradually contact all users who may be exposed to a security risk. The company also intends to examine the way it stores other sensitive data, such as login tokens, in order to prevent a similar situation in the future.

Users of both affected social networks, i.e. Facebook and Instagram, should change their passwords. Especially if they used the same password for other services as well, because it is possible that sooner or later the entire archive with unencrypted passwords will get on the Internet. Facebook itself also recommends turning on two-step verification to help authorize access to your profile.

Source: MacRumors

Topics: Instagram, Facebook, MacRumors, Android, user, Application

Discussion of the article

Your name

Your comment

By filling in the above data, I acknowledge that the company TEXT FACTORY s.r.o., registered office in Brno, Durďákova 336/29, Černá Pole, ZIP code: 613 00, ID number: 06157831, registered at the Regional Court in Brno, section C, insert 100399, will process my personal data provided in the registration form filled out by me on the basis of the legitimate interests of TEXT FACTORY s.r.o. according to Article 6 paragraph 1 letter f) GDPR and to fulfill legal obligations (Article 6, paragraph 1, letter c) GDPR), for the following purposes: the necessity to ensure the authorization of visitors to websites operated by TEXT FACTORY s.r.o. to actively contribute to published articles or within discussion forums and exercising the rights of TEXT FACTORY s.r.o. as the administrator of these discussion forums. More information about the processing of personal data and rights can be found in Lessons on personal data protection. the entire text

It could be interest you

Facebook recommends changing your password for Instagram as well

It could be interest you

Related