Facebook has disclosed a flaw on its social network that made passwords of hundreds of millions of users visible to employees and said the issue has now been fixed.
During a security review in January, Facebook found that the passwords were stored in a readable format, against its security procedures, but that they were never visible to anyone outside of the company. Most of the accounts affected were using Facebook Lite, a version of the app designed for emerging markets. The company said it hasn’t found evidence this access was abused.
The revelation is just the latest smudge on the company’s already spotty data-security record. Facebook is still grappling with the fallout of several major security issues from last year, including the most prominent scandal — revealed in March 2018 – involving information on tens of millions of users shared with political consultancy Cambridge Analytica. That disclosure resulted in various government probes around the world. Millions of users also had personal information accessed via a breach.
Facebook disclosed the password exposure after the security blog KrebsOnSecurity learned about it from an internal source. Krebs said the issue dated back to 2012 in some cases.
“The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20 000 Facebook employees,” KrebsOnSecurity wrote.