28 votes

Facebook has updated their blog post about storing unencrypted passwords - they found more log files, and there are now millions of Instagram users impacted, not thousands as stated originally

6 comments

  1. Deimos
    Link
    Here's the relevant paragraph with the new update from this morning:

    Here's the relevant paragraph with the new update from this morning:

    To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
    (Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).

    5 votes
  2. [3]
    Soptik
    Link
    They’re joking right? There is no way someone may accidentally add something like login.php db.insert(request.postData); Do not tell me people so incompetent to overlook this will contain...

    They’re joking right? There is no way someone may accidentally add something like

    login.php
    
    db.insert(request.postData);
    

    Do not tell me people so incompetent to overlook this will contain passwords are employed by facebook. Do not tell me code review didn’t catch this.

    I’m now looking at this more like “Hey, what if we store user passwords somewhere hidden so first whistleblower don’t find this, but we cam still have access to user data in case they use E2E?”. It doesn’t make much sence to my why would they do this, as there isn’t that big gain IMO, but don’t tell me this is just inconpetence. Especially since they did it to Instagram users as well, thus it isn’t some long forgotten line in legacy code.

    4 votes
    1. [2]
      Deimos
      Link Parent
      I don't know, I do believe it could easily have been unintentional. Since it's across many different apps/properties, I think it's likely that the logging was happening at something closer to a...

      I don't know, I do believe it could easily have been unintentional. Since it's across many different apps/properties, I think it's likely that the logging was happening at something closer to a network level, where they were just logging all requests to some servers.

      It's easy for this sort of thing to happen: someone sets up logging to look into an ongoing issue, then they forget to turn it off or mean to come back to it later, and maybe they even end up quitting or getting fired. Everybody else either never notices there's some random unnecessary logging happening, or they just assume it's important for some reason and don't want to mess with it.

      5 votes
      1. Soptik
        Link Parent
        I don’t know, access tokens? Ok, I get it, no problem. But passwords? They can be accessed on like one or two places: login form and settings form (for example when changing passwords). If they...

        I don’t know, access tokens? Ok, I get it, no problem. But passwords? They can be accessed on like one or two places: login form and settings form (for example when changing passwords).

        If they logged all server traffic, than yes, it is probably unintentional, especially since I don’t see a way fb could profit from user passwords. (Well, they could sell them, as many people use one password for everything, but fb is hopefully not there yet and I still trust them with this).

        If they set up network-wide logging, than yes, I can believe it. But still. This is enourmous f-up, especially since this probably comes from multiple servers (either that or one instance was collecting the data for a very, very long time - which isn’t much better).

        To me it looks like some a/b testing with additional logging enabled, especially considering the amount of affected instagram accounts.

        1 vote
  3. [2]
    Cosmos
    Link
    Now that's what I call a news dump! This would be getting massive amounts of attention if it were released any other day of the year. But today, it won't get a second of airtime.

    Now that's what I call a news dump! This would be getting massive amounts of attention if it were released any other day of the year. But today, it won't get a second of airtime.

    2 votes
    1. annadane
      Link Parent
      why today specifically?

      why today specifically?

      1 vote