Some 2000 Facebook staff had access to millions of Facebook users’ passwords… stored in plaintext

Yes, plaintext. It beggars belief doesn’t it?

Some 2000 Facebook engineers had access to millions of Facebook users' passwords... stored in plaintext

You know as well as me that you probably shouldn’t have a Facebook account.

Chances are that you don’t really like Facebook all that much, and have wanted to leave – but you can’t quite kick the habit because you worry that you might miss things that your friends and family (similarly manacled to the social network) might post on their timeline.

It’s understandable that you should feel like that after years of privacy scandals and security issues.

Sign up to our free newsletter.
Security news, advice, and tips.

You may think that nothing would shock you anymore when it comes to Facebook – but how about this?

Investigative journalist Brian Krebs has today published a jaw-dropping story which highlights Facebook’s lax attitude to user security and privacy.

You can read the full story for yourself, but here are the highlights:

  • Stretching back as far as 2012, Facebook has been storing the passwords of hundreds of millions of users unencrypted, in plaintext.
  • The hundreds of millions of Facebook passwords were searchable by thousands of Facebook employees.
  • According to Krebs’s source, access logs have revealed that some 2,000 engineers and developers made around nine million searches for data that contained plaintext user passwords.

Facebook hasn’t directly contacted any users yet about this potential security breach. The presumption is that Facebook was hoping to reduce the numbers (which are rather shocking) as much as possible before going public. Now Brian Krebs has blown the whistle, Facebook has had to issue a statement of course:

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.

(Facebook Lite is an Android app that is designed for users with slow data connections and low-spec phones.)

The silver lining on the cloud is that Facebook hasn’t seen any evidence that any employees have abused access to the password data – but frankly, how would they know for sure?

And furthermore, that’s not really the point.

Why was Facebook storing these passwords in plaintext? Why did so many employees have access to the data? If it found out about this problem in January is there any reason why it took until the end of March, and an article by a cybersecurity journalist, for them to come clean?

So, what should you do about this?

Well, you should ensure that the password you were using for Facebook isn’t being reused anywhere else on the internet.

Furthermore, if you’re going to keep your Facebook account, you should enable two-factor authentication (although make sure you do that with an authentication app, because if you tell Facebook your real mobile phone number for security they have no qualms about using it for their own benefit or their advertisers)

But really, the best advice I can give you is to quit Facebook. You’re in an abusive relationship. They keep letting you down, and you’re not learning the lesson. Be sensible, walk away. And tell your friends and loved ones to do the same.

We made a “Smashing Security” podcast all about how to quit Facebook. Give it a listen, and maybe try quitting Facebook for yourself. It’s quite liberating.

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Some 2000 Facebook staff had access to millions of Facebook users’ passwords… stored in plaintext”

  1. JT

    You make an assumption that we are all FOMO-ers. Not. And only use facebook for people close by we could get together with other ways.
    Some of us are part of a worldwide network of Visual Artists for one example. We share and promote and follow the work of people we admire. Since many of us work alone at home or live in areas where there are few kindred spirits it is a lifeline to everything we care about and the kind of people we want and need to know.
    So I hope you find a better answer than cutting all relationships and giving up our life's work?
    BTW. not helpful are answers that assume we are young and mobile and have super fine cars and should just drive a hundred miles every other day to see our artist friends OR find the $$$ to fly, since some are in Canada and we are in Los Angeles.
    I will try and figure out your other advice since it's tech-heavy for a 78 year old. Our young tech friend can help us next time he's here.
    Thanks for letting us know but if quitting is good for you by all means go for it. I have to say it is not for everyone.

    1. Graham CluleyGraham Cluley · in reply to JT

      I understand why you've chosen to use Facebook. Makes sense.

      It's a shame that your community and others haven't been able to find a social network that respects your privacy and isn't prioritising its advertisers over its members. Maybe such a network exists out there that would work for you (perhaps for a small monthly or annual subscription fee?).

      Personally I much prefer paying for services (which means I can be more confident that they'll want to look after me as a user, rather than rely upon advertising partners).

  2. Kelly W

    One of the "Share this article" options is to share on Facebook. Seems contradictory ;-)

    A FB quitter & proud of it
    (I quit FB 8 years ago & never looked back!!)

    1. Graham CluleyGraham Cluley · in reply to Kelly W

      I purposefully don't use Facebook's own sharing buttons on my website, as that would give them a way of tracking my readers through their grubby little script. Instead, I created my own which allows Facebook users to share links to stories on my website – hey, they need to spread the word to their Facebook friends that they should quit, right? :)

      PS. Well done on staying off Facebook for so long. Nice one.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.