News broke last night that Facebook has been storing passwords of hundreds of millions of its users in plaintext. According to KrebsOnSecurity, the database was searchable by thousands of Facebook employees and the issue goes back to 2012. Facebook has now confirmed that it mistakenly stored some passwords in plaintext.
In a press release, the social networking giant disclosed that it first learned about the issue back in January. However, similar to earlier privacy-related disasters, the company failed to disclose this incident until security researchers and reporters broke the news. While Facebook says the data wasn't exposed to anyone outside of the company, it was still searchable for thousands of its own employees.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Facebook wrote. "We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity."
Should you change Facebook password? Yep.
Since the passwords weren't exposed to anyone outside of the network, the company isn't advising everyone to change their passwords. It simply says that "you can change your password" not if you should. However, even an internal leak can result in a nightmare later on. If you are a Facebook user, you can follow these steps to change your password:
- Open Facebook app and click on the hamburger menu to get to settings.
- Tap on Settings & Privacy > Settings.
- Under Security, tap on Security and Login.
- Under LOGIN, tap on Change password.
- Once here, simply add your current and new passwords.
While Facebook hasn't shared specific details, Krebs writes "between 200 million and 600 million Facebook users may have had their account passwords stored in plain text" and that data was "searchable by more than 20,000 Facebook employees."
If your data was searchable by tens of thousands of people, it should be considered an exposure, even if it wasn't accessed by people outside of the company. Facebook assures there's no evidence that the data was misused and writes that if you do go ahead and change your password, pick a strong and complex password and don't reuse it on other platforms.