Account passwords for hundreds of millions of Facebook users have been housed in plain text and searchable by thousands of Facebook employees since 2012.
An internal probe found that Facebook staffers had been building applications that logged unencrypted password data and stored it in plain text on internal company servers, according to the report. The investigation so far suggests that between 200 million and 600 million users may have had their account passwords stored in plain text, making them searchable by more than 20,000 Facebook employees.
An anonymous Facebook employee told KrebsOnSecurity that access logs indicated that 2000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
Facebook Software Engineer Scott Renfro told Krebs that the company hasn't found any cases where someone was intentionally looking for passwords or misusing the data. The company plans to alert users starting any moment now, Renfro said, but doesn't believe that any password resets will be required.
"In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this," Renfro said. "We want to make sure we're reserving those steps and only force a password change in cases where there's definitely been signs of abuse."
Facebook VP of Engineering, Security and Privacy Pedro Canahuati subsequently published a blog post in which he acknowledged that the company stored some user passwords in a readable format within the company's internal data storage systems. The passwords were never visible to anyone outside of Facebook, Canahuati said.
During the review, Canahuati said that Facebook has been looking at the ways it stores other categories of information such as access tokens, and has fixed the problems as they are discovered.
"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook," Canahuati wrote in the blog post.
Facebook expects to notify hundreds of millions of Facebook Light users, tens of millions of other Facebook users, and tens of thousands of Instagram users according the situation, according to Canahuati. Facebook Lite is a version of Facebook designed for people in regions with lower connectivity, Canahuati said.
The password storage issue comes three months after Facebook disclosed that it had allowed third-party applications to improperly access photos from up to 6.8 million users. The bug affected as many as 1500 apps built by 876 developers, and exposed photos for 12 days between 13 and 25 September.
Three months before that, Facebook revealed that attackers had exploited a vulnerability in the social media giant's code to potentially take over nearly 50 million people's accounts. The vulnerability discovered in Facebook's code impacted 'View As,' a feature that lets people see what their own profile looks like to someone else.