Facebook Left Hundreds of Millions of Passwords Exposed to Its Employees

Security data from several of the company’s products may have been stored as plain text.

Ting Shen/Xinhua via ZUMA

For indispensable reporting on the coronavirus crisis, the election, and more, subscribe to the Mother Jones Daily newsletter.

Facebook stored hundreds of millions of its users’ passwords in a “readable format” according to the company, leaving them exposed to employees with access to the internal files.

The company disclosed the incident in a post on its public relations portal. Facebook’s description of plans to notify affected users suggest the scale of the security breach, which included “hundreds of millions of Facebook Lite users,” referring to a stripped down version of its app offered in countries with less broadband access, as well as “tens of millions of other Facebook users, and tens of thousands of Instagram users.”

Facebook explained that it usually masks passwords to prevent employees from being able to access them internally. “In security terms, we ‘hash’ and ‘salt” the passwords, including using a function called ‘scrypt’ as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters,” the company detailed in its post. “With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.”

While the company did not explicitly admit to keeping the files in plain text, Brian Krebs of Krebs on Security, who broke the news of the exposed passwords, reported the files had been exposed in easily readable, plain text, inside a searchable database to which thousands of its employees had access.

Facebook claims it has not yet found any examples of the password database being abused by its employees, or evidence that passwords had been obtained by anyone outside the company. In its post, the company advised users against using the same password on different services, while suggesting users may want to change Facebook and Instagram passwords.

The security gaffe comes days after Facebook CEO Mark Zuckerberg announced a new pivot to privacy at the company, laying out a 3,000 word plan for a new “privacy-focused vision.”

SIX TRUTHS

Reclaiming power from those who abuse it often starts with telling the truth. And in "This Is How Authoritarians Get Defeated," MoJo's Monika Bauerlein unpacks six truths to remember during the homestretch of an election where democracy, truth, and decency are on the line.

Truth #1: The chaos is the point.

Truth #2: Team Reality is bigger than it seems.

Truth #3: Facebook owns this.

Truth #4: When we go to work, we're in the fight.

Truth #5: It's about minority rule.

Truth #6: The only thing that can save us is…us.

Please take a moment to see how all these truths add up, because what happens in the weeks and months ahead will reverberate for at least a generation and we better be prepared.

And if you think journalism like Mother Jones'—that calls it like it is, that will never acquiesce to power, that looks where others don't—can help guide us through this historic, high-stakes moment, and you're able to right now, please help us reach our $350,000 goal by October 31 with a donation today. It's all hands on deck for democracy.

payment methods

SIX TRUTHS

Reclaiming power from those who abuse it often starts with telling the truth. And in "This Is How Authoritarians Get Defeated," MoJo's Monika Bauerlein unpacks six truths to remember during the homestretch of an election where democracy, truth, and decency are on the line.

Truth #1: The chaos is the point.

Truth #2: Team Reality is bigger than it seems.

Truth #3: Facebook owns this.

Truth #4: When we go to work, we're in the fight.

Truth #5: It's about minority rule.

Truth #6: The only thing that can save us is…us.

Please take a moment to see how all these truths add up, because what happens in the weeks and months ahead will reverberate for at least a generation and we better be prepared.

And if you think journalism like Mother Jones'—that calls it like it is, that will never acquiesce to power, that looks where others don't—can help guide us through this historic, high-stakes moment, and you're able to right now, please help us reach our $350,000 goal by October 31 with a donation today. It's all hands on deck for democracy.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate