Over 20,000 Facebook employees had access to 600 million user passwords

Donna Miller
March 21, 2019

The company estimates that hundreds of millions of Facebook Lite users and tens of millions of "other" Facebook users had their passwords stored in plain text.

In a blog post on Thursday, Pedro Canahuati, Facebook's vice president of engineering, security and privacy, said that they found "no evidence to date" that any staffers improperly accessed those passwords.

The social network is also probing the causes of a series of security failures, in which employees built applications that logged unencrypted password data for Facebook users, the report said.

Security analyst Troy Hunt, who runs the "haveibeenpwned.com" data breach website, said that the situation is embarrassing for Facebook, but that there's no serious, practical impact unless an adversary gained access to the passwords.

"One Hacker Way" is the main address of Facebook's vast campus in the California city of Menlo Park.

Facebook officials admitted on Thursday that the tech giant stored hundreds of millions of user passwords in plain text - able to be read by employees.

Fed sees no rate hikes in 2019, sets end to asset runoff
That could become more apparent Wednesday afternoon, when the Federal Reserve is widely expected to hold interest rates steady. Wall Street fell following the announcement, with the Dow losing 0.5 percent and the broader S&P 500 dropping 0.3 percent.

But, the internal investigation uncovered archives dating back to 2012 that show users' passwords in plain text, according to Krebs.

This story has been published from a wire agency feed without modifications to the text.

Facebook shared information about the security incident soon after it was first reported by Krebs on Security. He said Facebook had "fixed problems as we've discovered them", but the company did not immediately comment on other security mishaps it identified. Most affected were uses of Facebook Lite, the company said, a stripped-down version of the social network that's largely in use in countries with lower internet connection speeds.

There's so far no indication that this information was misused, Facebook says. "We want to make sure we're reserving those steps and only force a password change in cases where there have definitely been signs of abuse".

And earlier in 2018 it revealed that data on millions of users had been harvested by data science company Cambridge Analytica. He said the Facebook blog post suggests storing passwords in plain text may have been "a sanctioned practice", although he said it's also possible a "rogue development team" was to blame.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER