Up to 600 million Facebook users have had their passwords leaked in an internal data breach.
Security researcher Brian Krebs broke the news on 21 March 2019, explaining that the social network’s internal company servers contained passwords stored in plaintext. This means they weren’t encrypted, making them freely accessible to as many as 20,000 employees, most of whom had no reason to access this information.
Krebs went on to reveal that said that some passwords have been exposed since 2012.
‘No signs of misuse’
Facebook said that the breach was discovered in January 2019 as part of an internal security review. However, the social media giant is confident that the incident represents only a breach in confidentiality and that no information has been misused.
“These passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the organisation said.
Although this is obviously positive news, it doesn’t absolve Facebook of blame or make the breach any less serious. There are plenty of cases where the extent of a breach isn’t known until the information resurfaces years later (as you might recall from Yahoo’s security meltdown).
Who is affected?
The breach primarily affects users of Facebook Lite, a mobile version of the social network that’s popular in countries with poor Internet connections.
However, the organisation adds that “tens of millions of other Facebook users, and tens of thousands of Instagram users” are affected.
Facebook’s woes continue
This incident is another in a long line of security issues faced by Facebook. Last week, the New York Times reported that federal prosecutors are investigating the social network’s data deals with tech companies.
Earlier in March, privacy experts publicly criticised Facebook for using phone numbers provided for security purposes, such as two-factor authentication, for marketing and advertising purposes.
What you can learn from this incident
There are two main takeaways from this incident. First, don’t ever store passwords (or any sensitive information) in plaintext. Doing so invites data breaches, because it’s all too easy for an employee to misuse information or for cyber criminals to misappropriate your information.
Second, and this is something Facebook got right, you should make sure you regularly review your security processes. Vulnerability scans and penetration tests are essential for spotting weaknesses in your organisation, and you can use the results to make urgent repairs before it’s too late.