Facebook Password Breach: What You Need to Know

Share and earn Cybytes
Facebook Twitter LinkedIn Email

By now you have probably heard the news – Facebook left millions of user passwords exposed in plain text for years. How do you feel about the breach? Here’s our CISO’s response: 

Yesterday Facebook disclosed during a routine security review they discovered “some” user passwords were being stored unencrypted, but the passwords were not visible to anyone outside of Facebook. Facebook’s definition of “some” doesn’t really illustrate the full magnitude of this event. We are talking hundreds of millions of users that are affected.

False Reassurance

Facebook released an official statement declaring, “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

Assuming they follow a Secure Systems Development Lifecycle (SSDLC), this should be core protection built into the system and verified. That there is no evidence anyone external to Facebook had access to the un-encrypted passwords is not reassuring. Was this a flaw or accepted risk?

More questions than answers

So what went wrong and how could plain-text credentials go undetected since 2012?

As a Facebook user, I wonder why an internal employee would need access to my un-encrypted password. Ultimately, it’s still up to the consumer to govern data shared with services like these. At no time should the passwords ever have been left in clear text.

This won’t be the last of Facebook’s issues. According to an inside source of Brian Krebs, “Some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.” This presents even more questions.

This incident and others like it continue to highlight the importance of security. It is critical that dev teams work together to ensure events like these are promptly discovered and remediated. This is also an indicator that the demise of the password has been greatly exaggerated.

What you should do now

Yesterday’s released statement says Facebook estimates it will “notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Even if you were not notified, we recommend you change your password immediately. And in case you reuse the same password across multiple sites, be sure to change and update your credentials on those platforms. Here are some other security tips:

Set up 2-factor authenticationSign up to receive alerts about unrecognized Facebook loginsStop reusing passwords across different accountsDownload a password manager

If Facebook can’t get basic password security right, what other security flaws have yet to be disclosed?

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Thycotic
Thycotic’s award-winning Privileged Account Management solutions minimize privileged credential risk, limit user privileges and control applications on endpoints and servers. Thycotic is one of the world’s fastest growing IT security companies because we provide customers with the freedom to choose cloud or on premise software solutions that are the easiest to implement and use in the industry. Thycotic solutions are the highest rated PAM tools by your Gartner peers, and trusted by over 10,000 users worldwide including 25% of Forbes Top 50 Companies, and 20% of the Fortune 500.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?