Facebook Confesses That It Stored Hundreds Of Millions Of Passwords In Plaintext

Cybersecurity reporter Brian Krebs initially reported on March 19th that Facebook has been handling stored passwords in a way that leaves a lot to be desired — and they've been doing this for years.

Krebs said that the passwords of Facebook users were stored in plain text — a low security measure for one of the internet's biggest companies. Plain text is far more vulnerable than more encrypted methods.

Krebs said that more than 20,000 Facebook employees could have searched the passwords database. An insider told him that 2,000 employees made about nine million internal searches for data that included user passwords.

In a post dated two days after Krebs' investigation, Facebook's VP of Engineering, Security and Privacy said that the company became aware of the breach back in January.

It's interesting that Facebook didn't make this announcement at the time they became aware of it, and instead waited until a whistleblower's report blew the cover off the breach and made it public.

Facebook says password data were never visible to anybody outside of Facebook and the information probably wasn't abused, and that they plan to notify "hundreds of millions" of users about the password snafu.

Appropriately, they plan to fix problems and vulnerabilities in the way they store passwords. They also offer users tips on securing their account, which is a bit rich considering it was the company that leaked the passwords.

In Krebs' initial report, he said as many as 600 million users (one in five users) could be affected. Facebook didn't go into specifics in their announcement about how many users could be affected.

There have been calls for the Federal Trade Commission to investigate alleged antitrust violations at Facebook. Rhode Island Representative David N. Ciciline penned an op-ed calling for lawmakers to take a closer look just this month.

In what's become a dark cloud hanging over Facebook founder Mark Zuckerberg, the revelation that Facebook had allowed a data mining firm to access personal data was a major red flag for security advocates.

It might be Facebook's first run-in with this issue, but it's affected other big internet platforms in the past. Both Github and [Twitter])https://techcrunch.com/2018/05/03/twitter-password-bug](https://techcrunch.com/2018/05/03/twitter-password-bug/) have experienced similar bugs that potentially exposed users' passwords in plain text.

Responding to a potentially serious breach months after the event, and only after the event has been reported elsewhere, isn't the best look. Facebook hasn't explained why they waited so long.

There doesn't seem to be much encouraging news about Facebook these days, but it's tough to tear yourself away from social media. At what point would you say "enough's enough" and delete your account?