Sven Morgenroth, a security researcher at Netsparker, was interviewed by Paul Asadoorian for Hack Naked News #212. Sven talked about the leak that revealed how Facebook had been storing hundreds of millions of users’ passwords in plain text. Even though Facebook have claimed that there’s no proof anyone outside of the social media behemoth accessed them, Sven argues that the situation is still very problematic.
Between 200 and 600 million passwords were affected. These passwords were not only accidentally stored for users of the Facebook website, but also for Instagram and the Android app, Facebook Lite. Although Facebook is trying to downplay the numbers, even using tricks to do so, Sven pointed out that if the larger figure is correct, this represents a quarter of all Facebook users.
Here are some intriguing facts about this news story:
- The original flaw with Facebook that produced this problem was introduced as far back as 2012.
- These passwords were accessible by 20,000 Facebook employees.
- Two thousand Facebook employees accessed datasets containing the passwords but – according to Facebook – none of them abused this information.
- The problem was revealed by an anonymous Facebook source, who knew that Facebook planned to announce it.
- Since it wasn’t technically a breach, Facebook had no legal obligation to inform the public, although, in the end, they did.
Sven concluded that Facebook probably did not do this on purpose; however, they were vague about how users may be impacted. He recommended that Facebook users change their passwords, and that Facebook stores their passwords hashed, ideally with added salts.
For further information about the original leak, see Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years. For Facebook’s response, see Keeping Passwords Secure.