LACyber: Cyber Security Blog

cyber security buffalo western new york
a division of Lincoln Archives Inc.


Facebook’s Password Dilemma: Another Security Mishap?

by Sally Rozumalski

Following last September’s massive security breach of user data, it’s becoming more and more challenging to summarize all the misuse of privacy and security fumbles Facebook is held responsible for. This past week has just stepped made that summary all the more difficult. Following a report by Krebs on security, on Thursday Facebook publicly acknowledged a “bug” in its password management system. This caused millions upon millions of user passwords for Facebook and Instagram to be stored as plaintext in an internal platform. Essentially thousands of Facebook employees could have searched for and found these usernames and passwords easily. Reports suggest that these passwords affected could stretch back to those created as early as 2012.

 

Securely storing passwords is huge. Often times, many big scale organizations will use what is called a cryptographic process. Basically, organizations can store account passwords securely by scrambling them before saving them to their servers. This way, even if someone compromises those passwords, they won't be able to read them, and a computer would find it difficult to unscramble them. While Facebook invests heavily in security measures to avoid the liability and embarrassment that security mishaps bring, one open door means all the all the protection and traps put in place are rendered essentially useless.

 

“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy wrote in a statement.

 

He continues by saying their login systems are designed to mask passwords using techniques that make them unreadable. He is adamant that these passwords were never visible to anyone outside of Facebook and no evidence has been found to date that any internal workers abused or improperly accessed them.

 

Facebook has publicly stated the password bug is under control and that they will notify tens of millions of Facebook users, and tens of thousands of Instagram users that their passwords may have been exposed. However, think about switching up your password as Facebook says they do not plan to reset users’ passwords.

 

For such a prominent target, Facebook has had relatively few technical security failures, and in this case appears not to have been compromised. But the company’s track record was severely hurt by a security scandal last September, in which attackers stole extensive data from 30 million users by compromising their account authentication markers generated when a user logs in.

 

Luckily per Facebook the exposed passwords weren’t all stored in one place, the issues didn’t come from a single bug in the platform’s password management system, but Facebook unintentionally captured plaintext passwords across a variety of internal systems such as storage systems and crash logs. The nature of the problem certainly made it more complicated to fix as well as understand, which is a contributing factor behind why it took almost two months to complete the investigation and disclose it to the public.

 

Facebooks size and credibility show their need for keeping network traffic logs in order to better understand and trace any type of abnormality that may come up. Thereby, any type of network data in the system will pass through. The fact that Facebook caught passwords in that process makes sense; the question is: why did Facebook retain logs that included sensitive data for so long, and why the company was apparently unaware of its contents?

 

“The data that’s captured incidentally as part of debugging, and operating at the network scales they do is not uncommon, but if Facebook retains that for years it raises a lot of questions about their architecture. They have an obligation to protect these debug logs and audit and understand what they’re retaining. In some ways that’s the most sensitive data they hold, because it’s raw and unmanaged.” says Kenn White, a security engineer and director of the Open Crypto Audit Project.

 

Last year Twitter went through a very similar dilemma last May concerning plaintext password logging. They too didn’t require users to reset passwords as they said they had no reason to believe the passwords were breached. Facebook took this stance as well saying their investigation didn’t reveal any signs that anyone intentionally accessed used or stole the hundreds of millions of [passwords. However, with this large of scandal it’s certainly a good idea to change your password, regardless if you were affected or not.

 

It’s a pretty simple process and easily accessed through the settings button on both Instagram and Facebook. A quick 30 seconds out of your day might save your personal information in the long run. The easiest way to keep track of and manage your passwords so you can easily change them after incidents like this is to set up a password manager. If you don’t have a password manager, get one and make your life exponentially easier and safer!

 

Facebook claims that for now the plaintext password issue is resolved and that long term, this scandal will not affect users due to the passwords only being accessed from the inside. However, given the various other security mishaps Facebook has been the subject of, it’s difficult to know what will truly come from this.

 

LACyber is a division of Lincoln Archives providing comprehensive Data Breach Defense Services. Lincoln Archives and LACyber are proud to be a part of Lincoln Family of Companies serving the Western New York Community since 1914.

Return to Blog Menu

Contact Information:


LACyber
155 Great Arrow
Buffalo, New York
14207
(716) 871-7040
Email: info@LA-Cyber.com

Recent Blog Posts:

Is Tape Back Up Still Relevant?
As the years go on, tape is not going away. In fact, the technology behind tapes is improving! The question is: are there enough discussions taking place about this data back-up method?
Author: Sally Rozumalski - Date: 2019-06-13
Data Destruction, What is the Big Deal?
Ensuring the secure destruction of private data not only gives you piece of mind, but also could potentially save you thousands if not millions of dollars in data breach fines.
Author: Sally Rozumalski - Date: 2019-04-19
Can Your Smart Speaker "Hear" You?
Millions of people turn to their smart home devices for the weather, music or just a good laugh. But do you ever wonder if your smart device can actually hear whats being said, or where that information might go?
Author: Kathryn Turner - Date: 2019-04-12
The Gap in Risk Protection You Won’t See Coming
Your office network is a complex compilation of interconnected machines which cyber criminals seek to break into. So what part of your office is the most vulnerable to a data breach?
Author: Sally Rozumalski - Date: 2019-04-05
Ransomware and Company Closings: Could You be Next?
 Ransomware is continuing to hit businesses, will more force and impact each year. Malicious software and the infamous effects that accompany it, are starting to effect companies on a larger scale than a simple inconvenience including shutdowns, fines, and years lost.
Author: Sally Rozumalski - Date: 2019-03-29
See All Blog Posts

Contact Form




Cyber Defense Plans starting at $49.99