Facebook is currently investigating the extent to which it accidentally logged and stored unencrypted password data, according to security expert Brian Krebs. This is just the latest in a long line of privacy-related scandals Facebook has endured, further calling into question its ability to keep users secure.
Citing anonymous sources, the report says Facebook employees built applications that stored password data for between 200 million and 600 million users in plain text on internal servers. More than 20,000 Facebook employees had searchable access to those accounts. The investigation is ongoing, but already the company has found vulnerable data that dates back to 2012, writes Krebs. His source says 2,000 developers and engineers turned up plain text passwords within 9 million data queries. The company allegedly does not know how many passwords were exposed, or for how long.
Facebook has come under scrutiny for the way it handles user data, and with whom it shares that data. In September 2018, the company revealed an attack on its network that affected the personal data of some 50 million accounts. More recently, Facebook CEO Mark Zuckerberg vowed to take user privacy more seriously and promised more encryption and other privacy tools. Critics called into question Facebook’s ability to develop a privacy-centered platform–and the consequences of such a move, since encryption could make it more difficult to track toxic content on the platform.
In a conversation with Krebs, Facebook engineer Scott Renfro said users would not likely have to change their passwords, because there was no evidence that employees searched for passwords explicitly. In a blog post on password security, Facebook noted that it expects to notify, “hundreds of millions of Facebook Light users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”