Facebook stored hundreds of millions of user passwords in plain text

Facebook stored hundreds of millions of user passwords in plain text

Facebook stored hundreds of millions of user passwords in plain text

Researcher Brian Krebs of KrebsonSecurity broke the news about the security failure, saying that 600 million passwords were stored in plain text.

But, the internal investigation uncovered archives dating back to 2012 that show users' passwords in plain text, according to Krebs.

Facebook says it'll notify users affected by this, but it won't require them to change their password as a result of the findings.

"It's good news for consumers that Facebook says none of the data was exploited by bad actors, but this is alarming, especially because many people tend to reuse the same password across different services", says Bob Richter, who heads Consumer Reports' privacy and security testing.

"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data", Renfro said.

What we do know is that now would be a great time to reset your password for both Instagram and Facebook, just to be sure.

Facebook said it discovered the problem in January.

Thankfully, Facebook says there is no evidence this security breach was exploited by any nefarious individuals.


As well as being stored in plain text, passwords were searchable by thousands of Facebook employees.

Facebook said that hundreds of millions of users of Facebook Lite had been impacted, while tens of millions of regular Facebook users were impacted. The company wants to encourage small groups of people to carry on encrypted conversations that neither Facebook nor any other outsider can read. Most of the accounts affected were using Facebook Lite, a version of the app designed for emerging markets. And apparently because it was acting as a proxy, the server was acting on behalf of users and logging their credentials for use in connecting to other Facebook services.

In a statement, Facebook said it had now resolved a "glitch" that had stored the passwords on its internal network.

Facebook stored the passwords of hundreds of millions of its users in plain text inside its internal systems, the social media giant has revealed.

Facebook is not requiring users to change their passwords, but you should do it anyway.

The plaintext passwords date back to 2012, according to Krebs.

Barysevich said he could not recall any major company caught leaving so many passwords exposed internally. But typically those passwords are obscured by "hashing" and "salting" them (more info on that here), so that even if someone accesses the data, the passwords themselves are still hidden.

Related news



[an error occurred while processing the directive]