What we can learn from Facebook's password management

By Mike Fiorito, VP of Business Development at MDS

Recently, Facebook acknowledged a bug in its password management systems. This internal bug caused hundreds of millions of Facebook and Instagram user passwords to be stored as plaintext. As a result, thousands of Facebook employees could have searched for and found them. Krebs reports that the passwords stretched back to those created in 2012.

Organizations can store account passwords securely by scrambling them with password-hashing before saving them to their servers. This way, even if someone compromises those passwords, they won’t be able to read them, and a computer would find it difficult—even functionally impossible—to unscramble them. As a prominent company with billions of users, Facebook invests heavily to avoid the liability and embarrassment of security mishaps. Unfortunately, one open window negates all the padlocks, bolts, and booby traps money can buy.  Anything short of everything is never enough.

“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” said Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy. “Our login systems are designed to mask passwords using techniques that make them unreadable. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

Canahuati said that Facebook has now corrected the password logging bug and that the company will notify hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users that their passwords may have been exposed. Facebook does not plan to reset those users’ passwords.

Facebook said that the exposed passwords weren’t all stored in one place, and that the issue didn’t result from a single bug in the platform’s password management system. Instead, the company had unintentionally and incidentally captured plaintext passwords across a variety of internal mechanisms and storage systems, like crash logs. Facebook says that the scattered nature of the problem made it more complicated both to understand and to fix, which the company says explains the nearly two months it took to complete the investigation and disclose the findings.

Why did Facebook retain logs that included sensitive data for so long, and why was the company unaware of its contents?

This breach makes clear that performing audits and analyzing the storage of private user data is paramount.  Along with a host of other resources and techniques, MDS uses tools like Compliance Manager to perform on-going risk assessments to meet GDPR, NIHST and HIPPA compliance.

“The data that’s captured incidentally as part of debugging and operating at the network scales they do is not uncommon,” says Kenn White, a security engineer and director of the Open Crypto Audit Project. “But if Facebook retains that for years it raises a lot of questions about their architecture. They have an obligation to protect these debug logs and audit and understand what they’re retaining. In some ways that’s the most sensitive data they hold, because it’s raw and unmanaged.”  Any company, but especially a company like Facebook, which stores an enormous amount of private user data, must maintain a vigilant Cybersecurity program.

Facebook says its investigation hasn’t revealed any signs that anyone intentionally accessed its hundreds of millions of errant passwords to steal them. But whether you get a password notification from Facebook or not, you might as well go ahead and change it as a precaution.

To do so on Facebook desktop, go to Settings → Security and Login → Change Password. On Facebook for iOS and Android, go to Settings & Privacy → Settings → Security and Login → Change Password. On Facebook Lite for Android, go to Settings → Security and Login → Change Password. Changing your account password on either main Facebook or Facebook Lite changes it for both.

On Instagram, go to Settings → Privacy and Security → Password to change your password. Instagram and Facebook do not use the same password but can be linked to log into one with the other.

Are you concerned about your data privacy and data storage within your organization? Contact an MDS expert today for a 1:1 consolation.

Take Back Your Day

Learn how the latest technologies can free up your time so you can focus on your business

Share This