In January of 2019 Facebook discovered that they were storing many of their users’ passwords improperly. Facebook found that the passwords were not leaked or accessed improperly, despite the fact that thousands of Facebook employees had the ability to see the logs.
Facebook said they will be notifying the people whose passwords were exposed.
Millions of Instagram users were affected, according to an update on April 18. Additionally, hundreds of millions of Facebook Lite and other Facebook users had their passwords logged in a readable format somewhere in Facebook’s internal data storage systems.
The passwords being readable means that they were not hashed, encrypted, or otherwise obfuscated. This is against best practices. Your password is not supposed to be known to the website that you’re logging into, it is hashed before it’s stored. That way nobody can find out what the password is — even if they see the password database with their own two eyes. That’s why sites don’t send you your old password when you forget it — they just don’t know it.
Facebook does make use of all the proper techniques to mask people’s passwords and takes additional measures to protect people’s accounts from being hacked, like checking if the device logging in is new. They also said that they fixed the problems with the way that they stored some information.
Hopefully, Facebook’s users are able to feel safer, and Facebook can avoid any more security mishaps.
The last big Facebook security breach was announced half a year ago, on September 28, 2018. Back then 50 million accounts were exposed to having their access tokens (digital keys that allow one to access an account without having to log in) stolen.
These security breaches are not always devastating leaks of passwords and personal information. But the truth is that hundreds of millions of people’s passwords were exposed — and they should not have been.
Changing your passwords regularly is a very good idea, whether there is a breach or not. Some companies don’t even notice when their users’ information hasn’t been protected (like in this case — Facebook says that the problem was discovered in January, but the logging of plain passwords had been happening for years, according to an anonymous source), or do not announce it when it happens (for example, when Uber paid the hackers to keep quiet). To be safe, sometimes we should expect the worst.