THE SOCIAL NETWORK Facebook stored the passwords of hundreds of million users in plaintext for as long as seven years, KrebsOnSecurity has revealed.
According to security researcher Brian Krebs, who got the scoop via an unnamed senior Facebook employee, an internal investigation at the company recently found that staffers had been building applications that logged unencrypted password data and stored it in plaintext on internal company servers.
The inquiry, which began this year after an engineer noticed the security screw-up, so far suggests that between 200 million and 600 million Facebook users may have had their account passwords stored in plaintext, making them searchable by more than 20,000 Facebook employees.
It's unclear how long Facebook left the passwords exposed, but the anonymous employee says the probe has so far uncovered archives containing plaintext user passwords dating back to 2012.
"My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords," Krebs said in a blog post.
Scott Renfro, a software engineer at Facebook, was reluctant to cough on exact numbers but told Krebs that the firm has found no signs of password misuse.
"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data," he said.
"In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this. We want to make sure we're reserving those steps and only force a password change in cases where there have definitely been signs of abuse."
Renfro said the company planned to alert Facebook users starting on Thursday, but that no password resets would be required.
Facebook has since published a blog post, in which it confirms that "we found that some user passwords were being stored in a readable format within our internal data storage systems."
"In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we've discovered them," it added.
This revelation - which, er, should be shocking - comes a week after federal investigators confirmed they conducting a criminal investigation into Facebook to its controversial data sharing practices. µ
Put a Ring-Con on it
We know. We're as surprised as you are
It's available across all major UK networks