Facebook has recently confirmed on Thursday in a blog post by Pedro Canahuati – VP Engineering, Security and Privacy that it stored hundreds of millions of account passwords in plaintext for years!
As part of Facebook routine security review in January, the security team found that some user passwords are being stored in a readable format within their internal data storage systems. Although the login systems are designed to mask passwords using techniques that make them unreadable, however it was not the case.
Facebook passwords were never intended to be visible to anyone outside of Facebook and the team have found no evidence to date that anyone internally abused or improperly accessed them. Facebook has then fixed the problems and claimed that nothing is more important than protecting people’s information and will continue making improvements as part of their ongoing security efforts at Facebook.
Facebook team will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users about this issue.
Let us know if you get any notification from Facebook, ya!
So, How Facebook Is Protecting Our Passwords
According to Pedro Canahuati, Facebook mask people’s passwords when they create an account so that no one at the company can see them. In security terms, Facebook will “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password is a random set of characters. With this technique, Facebook can validate that a person is logging in with the correct password without actually having to store the password in plain text.
In general, Facebook has built security measures to help protect people’s accounts by:
Variety of Signals
Facebook uses a variety of signals to detect suspicious activities. For example, even if a password is entered correctly, Facebook will treat it differently if they have detected that it is being entered from an unrecognized device or from an unusual location. When Facebook spotted a suspicious login attempt, Facebook will ask additional verification question(s) to prove that the person is the real owner.
Usually Facebook with send out alerts about unrecognized logins if the user sign up for this.
Monitoring Cross Platforms
Knowing that some people will reuse their passwords across different services and platforms, Facebook is keeping a close eye on data breach announcements from other organizations or publicly posted database of stolen credentials. If these information matches any Facebook accounts, Facebook will notify the user during login and will guide the user to change their password as its security measure
Well, it looks like Facebook is trying their best to secure our identity and password. But then again, the Internet is soooo huge that normal people like us only sees the surface of the iceberg. What about the Deep and Dark Web? Anyway, remember to frequently change your passwords and make sure it is not an easy one.