Facebook exposed passwords of hundreds of millions of users to its employees

These passwords lay unencrypted in readable text form for several years, and were accessed by 20,000 Facebook staffers. The company has acknowledged the security lapse.

If you still hold a Facebook account, change your password now. We're not saying this, cybersecurity experts are. Here's why.

On March 21, cybersecurity and investigation blog KrebsonSecurity revealed that Facebook employees had access to the private passwords of 600 million users. These passwords lay unencrypted in Facebook's internal servers for years - some dating back to 2012 - and were searchable and readable in plain text to thousands of staffers.

This not only violates the internet's fundamental security practices that require tech organisations to store passwords in a scrambled form such that it is difficult to recover the original text, but also adds to Facebook's growing list of privacy disasters in the last 12 months.

Image: Facebook Newsroom

Incidentally, the KrebsOnSecurity revelation comes exactly a year since the Cambridge Analytica scandal broke out.

Facebook, however, has claimed that its ongoing investigation has found no indication of data abuse by employees.

"The investigation indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012," KrebsOnSecurity noted.

Also Read: Facebook now has 1.52 B daily active users, thanks to its growth in India

While Facebook says no password reset is required, it will alert users if their data has been misused. Addressing the concerns, Facebook's VP of Engineering, Security, and Privacy, Pedro Canahuati wrote on the official blog,

"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them... We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users."

Privacy experts, however, recommend users to change their existing passwords.

Also Read: Facebook India will now report to Mark Zuckerberg's core team in Menlo Park

Since the Cambridge Analytica exposé in 2018, Facebook has lost over a $100 billion in market cap. Prominent Silicon Valley techies from Elon Musk to Brian Acton (founder of WhatsApp who left Facebook in 2017) led the #DeleteFacebook movement urging users to quit the social networking platform.

Despite the negative buzz around it, Facebook counts over 2.3 billion monthly users worldwide, and continues to be one of the most influential tech companies of the 21st century.

Also Read: 'Facebook is working to prevent another Cambridge Analytica': Rob Sherman


Updates from around the world