Millions of Facebook users had their passwords stored in plain text and were searchable by Facebook employees, as Krebs on Security reports.
Apparently from Facebook’s investigation, a source said that between 200 million and 600 million accounts may have been affected. The passwords that were stored in plain text could be searched by more than 20,000 employees. Internal logs showed that 2,000 engineers or developers had made approximately 9 million internal queries for data that contain plain text passwords.
The source told Krebs that Facebook is still determining how many passwords were exposed and for how long. However so far the inquiry into this matter has uncovered archives with plain text user passwords dating as far as 2012.
It is kind of worrying that Facebook employees could have had access to this data but apparently there has been no case of such infringement. “We have not found any cases so far in our investigations where someone was looking intentionally for passwords,” Scott Renfro, Facebook software engineer told KrebsOnSecurity.
Scott Renfro also said that Facebook found out this in January 2019 when security engineers were reviewing code and noticed passwords were being inadvertently logged in as plain text.
Since this is a huge data issue, you may think that Facebook is planning to inform users about this. Facebook gave a statement to KrebsOnSecurity where they say they are expecting to notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users about this.
This news is not great for Facebook as they have been grappling with privacy woes of late, dating from the Cambridge Analytica fiasco last year. Although Renfro said that no password resets would be required, I think it would be great if you changed your Facebook password right now to be safe.2