Facebook on Thursday said that it had left “hundreds of millions” of users’ passwords exposed in plain text, potentially visible to the company’s employees, marking another major privacy and security headache for a tech giant already under fire for mishandling people’s personal information.
Facebook said it believed the passwords were not visible to anyone outside the company and had no evidence that its employees “internally abused or improperly accessed them.” But it said it would notify users of Facebook as well as its photo-sharing site, Instagram, that they had been affected.
The incident was first revealed by the Krebs on Security blog, which estimated the total number of affected users ranged between 200 million and 600 million. Facebook declined Thursday to confirm the estimate.
Facebook’s mishandling of users’ passwords adds to a litany of recent privacy and security mishaps at the company, some of which have triggered investigations in the United States and European Union and could carry the risk of steep fines and other punishments.
Data-protection regulators in Ireland, which keeps watch over Facebook under the EU’s tough, new privacy rules, said Thursday they had been in contact with Facebook, adding: "We are currently seeking further information.” The agency already has opened 10 probes into the tech giant’s data collection practices.
Like most companies, Facebook said it stores passwords using a technique called hashing that’s supposed to make them unreadable. But a security review in January, detailed in a blog post Thursday, found they were actually stored in a readable format, a problem Facebook said it has since fixed. Most affected were users of Facebook Lite, the company said, a stripped-down version of the social network that’s largely in use in countries with lower Internet-connection speeds.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” said Pedro Canahuati, the company’s vice president of Engineering, Security and Privacy, in the blog post. “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
During its review, Canahuati said that Facebook also looked at its other security practices, mentioning specifically the use of so-called “access tokens,” which is how third-party apps identify a Facebook a user and can access one’s profile information. He said Facebook had “fixed problems as we’ve discovered them,” but did not say whether “access tokens” had led to security lapses. The company did not immediately respond to questions about what other security mishaps it had identified.
In September, Facebook acknowledged that hackers had stolen information that may have allowed them to access 50 million user accounts. It logged out 90 million users from their accounts because of the security incident, which allowed hackers to access profile information including users’ names and their gender.