Facebook stored up to 600 million passwords in plain text

Unencrypted passwords could be accessed by Facebook's army of engineers

The passwords of as many as 600 million Facebook users was stored in plain text, readable by 12,000 employees, in a practice stretching back as far as 2012.

That's according to security researcher Brian Krebs, who claims that a series of data protection failures by the social media giant led to between 200 million and 600 million passwords being stored in plain text.

It is believed Facebook employees built applications that logged unencrypted passwords, all of which were stored on the firm's servers for several years.

An unnamed Facebook insider told Krebs that around 2,000 engineers or developers were able to make nine million internal queries for plain text passwords.

We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way

After launching an internal investigation, Facebook learnt that "some user passwords were being stored in a readable format within our internal data storage systems".

In a statement, the company added: "This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.

"We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."

Facebook said it will "notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users" of the flaw.

However, the company went on to claim that these passwords "were never visible to anyone outside of Facebook" and that it has "found no evidence to date that anyone internally abused or improperly accessed them".

It added: "In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we've discovered them.

"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook."

The news comes as Facebook continues to face mounting pressure around its data protection and security practices.

Last year, a security flaw compromised the information of 50 million Facebook users - the latest in a long line of security and privacy issues that has surfaced at the company that its founder once claimed likes to "move fast and break things".

The AI and Machine Learning Awards are coming! In July this year, Computing will be recognising the best work in AI and machine learning across the UK. Do you have research or a project that you think deserves wider recognition? Enter the awards today - entry is free.