Facebook admitted that over 600 million customers’ passwords were stored in text format insecurely since 2012, but the social media giant claims to have moved fast and fixed the problem.
According to Pedro Canahuati, VP Engineering, Security and Privacy, “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”
The firm added that it would notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity such as Africa, Asia and Latin America.
According to Paul Ducklin, senior technologist, Sophos, it’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this. But if any passwords did get into the wrong hands, which is highly likely, then users need to change their passwords to prevent further access.
Ducklin urges users to turn on two-factor authentication (2FA) so that a password alone isn’t enough for crooks to raid your account.
For users reluctant to give Facebook their phone number, they can use app-based authentication, where their mobile phone generates a one-time code each time you log in.
Whether to close your Facebook account or not is a personal choice. Given that the wrongly-stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, Sophos doesnt think this breach alone is enough reason for one to terminate their accounts.
“On the other hand, it’s a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step. In short, you have to decide for yourself. (If it helps you decide, we’re not closing our accounts),” he added.
John Shier, senior security advisor at Sophos argues that despite the recent public struggles Facebook has had with respect to privacy and security, this incident is a little different.
“Authentication data is something that Facebook treats very seriously and has put in place many mechanisms, both externally and internally, to ensure that user credentials are safeguarded. While the details of the incident are still emerging, this is likely an accidental programming error that led to the logging of plain text credentials. That said, this should never have happened and Facebook needs to ensure that no user credentials or data were compromised as a result of this error. This is also another reminder for people who are still reusing passwords or using weak passwords to change their Facebook password to something strong and unique and to turn on 2-factor authentication.”