Facebook, which has over a billion users, reportedly stored millions of user passwords in plain text documents.
According to the report, the company stored the passwords of between 200 to 600 million users in simple text. Worse is that thousands of Facebook employees can gain access and search the database, for whatever reason they may have.
Hashing Is The Solution
This certainly goes against the usual standards in storing private information such as passwords. Once hackers and identity thieves get a hold of this type of information, it can result to a widespread issue of compromised accounts.
User passwords are typically stored through "hashing." Once user data is in this form, the hashed value cannot be used by unauthorized personnel to revert to the original data. In such cases, an encryption key will be made available only to personnel whose security level is high enough.
However, in the case of Facebook's millions of user passwords dating back to 2012, the report said the data is accessible to about 20,000 Facebook employees. According to the source, access logs showed that about 2,000 employees made an estimated 9 million searches, which contained plain text user passwords.
So What Now?
A Facebook software engineer stated that the company was not ready to disclose the exact numbers of employees who may have accessed the data. However, the company does plan to notify affected users. As of now, no password resets will be needed.
"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data," said Facebook software engineer Scott Renfro.
Facebook has had a number of issues in recent months, some of which are related to user privacy and security. Earlier this month, a Facebook messenger bug allegedly exposed contacts you had conversations with. Meanwhile, a December report stated that another bug disclosed the photos of around 6.8 million users.