Facebook (FB) is in hot water again. After a year of controversies in 2018, it looked as though the company was ready to turn over a new leaf in 2019. But that was before Brian Krebs of Krebs on Security reported that the social network was storing hundreds of millions of users’ passwords on company servers in plain text.
That might not sound too bad — until you realize that storing passwords in plain text means that they were completely readable. Facebook usually hashes and salts passwords, which prevents passwords from being read. What’s more, those passwords were on a server, Krebs reports, that was accessed millions of times by roughly 2,000 engineers and developers.
Why is that such a big deal? Because if one of those engineers or developers were so inclined, they could have used that information to access user accounts.
But it doesn’t look like Facebook will suffer much backlash through either its user numbers or stock price.
Following the first reports of the news, Facebook’s stock was trading marginally higher at $166 per share as of 2:30 p.m. on Thursday.
Facebook, for its part, says that there is no evidence any employees abused their access to the password data. What’s more, the fact that these passwords were being stored in a readable format was uncovered by Facebook itself during a security review. But the problem was uncovered back in January, and we’re only hearing about it know.
All of this, of course, comes less than a month after CEO Mark Zuckerberg revealed, in a lengthy Facebook post, that the social network was doubling down on privacy and ensuring users’ data remains safe.
In a post explaining this latest issue, Facebook’s VP of engineering, security and privacy Pedro Canahuati said that the company will be notifying “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” to let them know that their passwords were part of the batch stored as plain text.
Facebook Lite is a version of Facebook for users who have slow internet connections in developing countries.
If you’re a Facebook user, and let’s face it, you likely are, your best bet is to change your Facebook password immediately. That goes for Instagram users, as well. And while WhatsApp passwords weren’t mentioned as part of the latest privacy debacle, it’s probably best to change your password there too.
Facebook’s problems aren’t adding up
All of this follows news in 2018 that a Facebook bug exposed millions of users’ private photos to app developers. That story was preceded by Facebook’s “view as” bug, which allowed hackers to exploit access tokens used to keep users logged into Facebook. Those tokens could then be used to gain access to users’ accounts.