Following last September’s massive security breach of user data, it’s becoming more and more challenging to summarize all the misuse of privacy and security fumbles Facebook is held responsible for. This past week has just stepped made that summary all the more difficult. Following a report by Krebs on security, on Thursday Facebook publicly acknowledged a “bug” in its password management system. This caused millions upon millions of user passwords for Facebook and Instagram to be stored as plaintext in an internal platform. Essentially thousands of Facebook employees could have searched for and found these usernames and passwords easily. Reports suggest that these passwords affected could stretch back to those created as early as 2012.
Securely storing passwords is huge. Often times, many big scale organizations will use what is called a cryptographic process. Basically, organizations can store account passwords securely by scrambling them before saving them to their servers. This way, even if someone compromises those passwords, they won't be able to read them, and a computer would find it difficult to unscramble them. While Facebook invests heavily in security measures to avoid the liability and embarrassment that security mishaps bring, one open door means all the all the protection and traps put in place are rendered essentially useless.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy wrote in a statement.
He continues by saying their login systems are designed to mask passwords using techniques that make them unreadable. He is adamant that these passwords were never visible to anyone outside of Facebook and no evidence has been found to date that any internal workers abused or improperly accessed them.
Facebook has publicly stated the password bug is under control and that they will notify tens of millions of Facebook users, and tens of thousands of Instagram users that their passwords may have been exposed. However, think about switching up your password as Facebook says they do not plan to reset users’ passwords.
For such a prominent target, Facebook has had relatively few technical security failures, and in this case appears not to have been compromised. But the company’s track record was severely hurt by a security scandal last September, in which attackers stole extensive data from 30 million users by compromising their account authentication markers generated when a user logs in.
Luckily per Facebook the exposed passwords weren’t all stored in one place, the issues didn’t come from a single bug in the platform’s password management system, but Facebook unintentionally captured plaintext passwords across a variety of internal systems such as storage systems and crash logs. The nature of the problem certainly made it more complicated to fix as well as understand, which is a contributing factor behind why it took almost two months to complete the investigation and disclose it to the public.
Facebooks size and credibility show their need for keeping network traffic logs in order to better understand and trace any type of abnormality that may come up. Thereby, any type of network data in the system will pass through. The fact that Facebook caught passwords in that process makes sense; the question is: why did Facebook retain logs that included sensitive data for so long, and why the company was apparently unaware of its contents?
“The data that’s captured incidentally as part of debugging, and operating at the network scales they do is not uncommon, but if Facebook retains that for years it raises a lot of questions about their architecture. They have an obligation to protect these debug logs and audit and understand what they’re retaining. In some ways that’s the most sensitive data they hold, because it’s raw and unmanaged.” says Kenn White, a security engineer and director of the Open Crypto Audit Project.
Last year Twitter went through a very similar dilemma last May concerning plaintext password logging. They too didn’t require users to reset passwords as they said they had no reason to believe the passwords were breached. Facebook took this stance as well saying their investigation didn’t reveal any signs that anyone intentionally accessed used or stole the hundreds of millions of [passwords. However, with this large of scandal it’s certainly a good idea to change your password, regardless if you were affected or not.
It’s a pretty simple process and easily accessed through the settings button on both Instagram and Facebook. A quick 30 seconds out of your day might save your personal information in the long run. The easiest way to keep track of and manage your passwords so you can easily change them after incidents like this is to set up a password manager. If you don’t have a password manager, get one and make your life exponentially easier and safer!
Facebook claims that for now the plaintext password issue is resolved and that long term, this scandal will not affect users due to the passwords only being accessed from the inside. However, given the various other security mishaps Facebook has been the subject of, it’s difficult to know what will truly come from this.
LACyber is a division of Lincoln Archives providing comprehensive Data Breach Defense Services. Lincoln Archives and LACyber are proud to be a part of Lincoln Family of Companies serving the Western New York Community since 1914.