27 votes

Facebook stored hundreds of millions of user passwords in plain text for years

5 comments

  1. [3]
    Deimos
    Link
    It sounds like this was inside logs, probably just something like "log all the data the user sends us", without excluding anything sensitive. That doesn't really make it better, but it's a dumb...

    It sounds like this was inside logs, probably just something like "log all the data the user sends us", without excluding anything sensitive. That doesn't really make it better, but it's a dumb mistake that's pretty common.

    They've made an official post here, with an appropriately PR-speak title to make sure it sounds boring/routine enough that almost everyone will ignore it: Keeping Passwords Secure

    15 votes
    1. [2]
      Cosmos
      Link Parent
      Best part is them asking us to take their word that their internal audit found not a single employee who abused this access to millions of passwords.

      Best part is them asking us to take their word that their internal audit found not a single employee who abused this access to millions of passwords.

      5 votes
      1. Deimos
        (edited )
        Link Parent
        Companies always say that kind of thing, but I never really understand how they can make claims like that. Brian Krebs said this has been happening since 2012, so assuming that these were stored...

        Companies always say that kind of thing, but I never really understand how they can make claims like that. Brian Krebs said this has been happening since 2012, so assuming that these were stored in some kind of log files, do they really have a full log of everyone that accessed any of those files in the last 7 years? And even if they do, there's no way they can tell exactly what the person looked at while they had the file open, whether they took a photo of it or wrote anything down, and so on.

        I'm sure a depressingly large number of people use the same password on Facebook as they do for their email and other accounts, so someone could have been collecting passwords from these files and using them to log into other services. As long as that's not happening over Facebook's network, there's no way they could possibly know whether it happened or not.

        They're trying to make it sound like it's not a severe issue because they can't find proof that any of the data was actually misused, but it's impossible for them to truly know that. As the saying goes, "absence of evidence is not evidence of absence," but they sure try to imply that it is.

        4 votes
  2. [2]
    The_Fad
    (edited )
    Link
    It's frustrating to continue to watch Facebook "discover" these data security concerns that have apparently existed for not-insignificant-amounts of time only to see them able to sweep it under...

    It's frustrating to continue to watch Facebook "discover" these data security concerns that have apparently existed for not-insignificant-amounts of time only to see them able to sweep it under the rug of public scrutiny. Even their pending litigation in the EU and US hasn't really effected their business, as far as a "punishment" goes. It's forced them to reevaluate the way they do things, sure, but it's concerning that so many people are so willing to forgive and forget the gross mishandling of their own private data and information. Is it an education issue? Are people just not as learned as they need to be in order to take these things seriously? Or is it simply the reality of the world we live in that these pieces of information are no longer as socially valuable as they once were? If the latter, WHY. It's not like they've lost any of their personal value; I'm still not giving out my full name and address to randos I meet at parties, or showing my personal photos of my family to anyone who isn't a close friend or in my home.

    There's a disconnect somewhere, here.

    3 votes
    1. Greg
      Link Parent
      I can only speak for myself, but it's partly fatigue (both with privacy failures, and with the overwhelming flood of environmental, economic, and political news that makes privacy feel like a drop...

      I can only speak for myself, but it's partly fatigue (both with privacy failures, and with the overwhelming flood of environmental, economic, and political news that makes privacy feel like a drop in the bucket), partly changing norms (like it or not, there simply is less expectation of privacy now compared to 20 years ago; hell, I've even seen the occasional positive take on that) and partly pragmatism (if everything's already been leaked, the chances of any specific individual's information being exploited is relatively slim).

      3 votes