Facebook admits millions of passwords exposed to staff
Facebook says it stored millions of user passwords in plain text instead of encrypting them
Facebook has admitted that millions of user passwords were accessible to its employees.
The social media network said that as many as 600 million passwords were stored in plain text, dating as far back as 2012.
The company said it has resolved the ‘glitch' which meant that up to 20,000 Facebook employees were able to access user accounts.
Facebook developers has reportedly created applications that logged and stored the passwords without encrypting them, although Facebook says it has not detected any signs of misuse. Facebook says the issue mainly related to Facebook Lite, and although it will inform users, it will not force them to change passwords.
Security company Sophos recommends that users change passwords and turn on two-factor authentication, although the issue is not severe enough to warrant dropping Facebook.
Paul Ducklin, senior technologist, Sophos commented: "It's perfectly possible that no passwords at all fell into the hands of any crooks as a result of this. But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused. Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.
"Given that the wrongly-stored passwords weren't easily accessible in one database, or deliberately stored for routine use during logins, we don't think this breach alone is enough reason to terminate your account. On the other hand, it's a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step. In short, you have to decide for yourself."