A website has recently learned that hundreds of millions of Facebook users had their account passwords in plain text. It is also searchable by thousands of Facebook employees. In some of the cases, some are way back in 2012.
The KrebsOnSecurity has learned that the thousands of employees of Facebook have the password. stored in the plain text of the hundreds of millions of users. According to the social media company they have an ongoing investigation. They said that so far there is no proof that their employees have abused the access to the data.
A Facebook source said that the investigation so far indicates between 200 million and 600 million Facebook users may have the possibility that their account passwords are stored in plain text and searchable by more than 20,000 employees, according to The Verge.
A source said that the company is still trying to determine how many passwords were exposed. Also, they have investigated how long does this happen. So far, the investigation has uncovered archives with plain text user passwords way back in 2012.
My Facebook insider mentioned that the access logs revealed some 2,000 engineers or developers made approximately nine million internal queries, for the data elements that contained the plain text user passwords.
As follows, the source said that "The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds." About the affected users the source mentioned that Right now, efforts are being made to lower down the number even more by only counting things that the social media company have, currently in their data warehouse.
In an interview, Scott Renfro who is the Facebook software engineer said that "We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this. We want to make sure we're reserving those steps and only force a password change in cases where there have definitely been signs of abuse."
In a written statement from Facebook provided to KrebsOnSecurity states that the company expects to notify tens of millions of Facebook users, hundreds of millions of Facebook Lite users and tens of thousands of Instagram users. Thus, Facebook Lite is a version of the social media company that is designed for low-speed connections and phones with low-specs.
