On Thursday an anonymous source claiming to be a Facebook employee disclosed that the passwords of hundreds of millions of people have been lying around in a searchable non-encrypted text format on the company’s servers for months. More than half of Facebook’s 36,000 employees worldwide have been able to access the data and possibly abuse it. One hour after the whistle-blower reported the accident to the media Facebook published an official statement confirming that the glitch is real and the passwords of hundreds of millions of people from all over the world have been stored in a readable format within Facebook’s internal data storage systems, that could have been accessed by almost everyone working at the social media network.
First reported on Krebs on Security, a media outlet run by a U.S. journalist and cyber-security researcher Brian Krebs, the investigation indicated that the glitch affects approximately one-quarter of the company’s 2 billion users’ monthly active database. The majority of the easily accessible passwords are of users who use Facebook Lite. As you may already know, Facebook Lite is a light version of Facebook’s app that allows users to use the social network through an app that’s better suited for low-power Android devices or ones with limited Internet connections.
It is still unknown how many passwords have been exposed and for how long they have been readily available to tens of thousands of Facebook employees. According to the whistle-blower, data-logs show that roughly two thousand IT professionals working at Facebook have created nearly 10 million internal quires for data elements that contain plain text user passwords used by Facebook users over the last 7-8 years. In their official statement, Facebook confirmed that they would be notifying hundreds of millions of Facebook and Instagram users about the possible breach.
Even though Facebook said that they have fixed the issue and that they will be only notifying affected users, we strongly recommend all users to change their passwords on Facebook and Instagram. Both Facebook and Instagram confirmed that they are not planning on forcing all customers to reset their passwords because they currently have no evidence to believe that the unprotected millions of passwords have been heavily misused.
We remind you to avoid reusing a password across different services and always to use passwords that are not easy to guess. Practicing good password hygiene by changing them every three months is even better and would undoubtedly decrease the chances of you being affected by such data exposures. You can use a password manager app if you struggle to remember so many passwords. Most of the reliable antivirus software solutions currently on the market offer such options anyway.
Good luck and stay safe!