If it wasn't enough for Facebook to grab your info from major Android applications, to encourage teenagers to sell their data to it and so much more, the company has another privacy violation to add to the ever-growing list. The social media network has been storing user passwords in plain text for years, making them visible to employees.
According to Brian Krebs, who spoke to a Facebook employee wishing to remain anonymous, it's estimated that between 200 and 600 million Facebook users may have been affected. In some cases, the storing of plain text passwords goes all the way back to 2012.
The passwords were searchable by more than 20 000 employees of the social media network. According to Krebs' source, 9 million internal queries "for data elements that contained plain text user passwords" were made in that time by engineers and developers.
The vast majority of affected users seem to have been using the Facebook Lite application - a version of the social media app designed for regions with worse connectivity. However, the passwords of regular Facebook accounts, as well as Instagram ones, have also been logged in plain text.
In a blog post, Facebook Vice President of Engineering, Security, and Privacy, Pedro Canahuati, noted that the issue was discovered during "a routine security review in January", claiming that it has already been fixed and that Facebook will notifying anyone affected to change their passwords. Another employee of the social media network, Software Engineer, Scott Renfro, also ensured that the unencrypted data has not been misused. He told Krebs:
"We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this."
Nevertheless, this doesn't change the fact that user privacy has been violated once again. This keeps happening with Facebook, to the point where many don't find themselves surprised at any revelation about the company's handling of user data anymore, while the reassurances coming from the social media network mean less and less.
What do you think about it? Let us know in the comments.