From The Washington Post:
Facebook on Thursday said that it had left “hundreds of millions” of users’ passwords exposed in plain text, potentially visible to the company’s employees, marking another major privacy and security headache for a tech giant already under fire for mishandling people’s personal information.
Facebook said it believed the passwords were not visible to anyone outside the company and had no evidence that its employees “internally abused or improperly accessed them.” But it said it would notify users of Facebook as well as its photo-sharing site, Instagram, that they had been affected.
The incident was first revealed by the Krebs on Security blog, which estimated the total number of affected users ranged between 200 million and 600 million. Facebook declined Thursday to confirm the estimate.
. . . .
Like most companies, Facebook said it stores passwords using a technique called hashing that’s supposed to make them unreadable. But a security review in January, detailed in a blog post Thursday, found they were actually stored in a readable format, a problem Facebook said it has since fixed. Most affected were users of Facebook Lite, the company said, a stripped-down version of the social network that’s largely in use in countries with lower Internet-connection speeds.
Link to the rest at The Washington Post
PG wonders if there is any manner in which Facebook can’t screw up.
Best practices say not to ever save a user password at all. What’s done is that the password is combined with a secret prefix and then one-way hashed (transformed using an algorithmic function that results in a long alphanumeric string) in such a way that it cannot be reversed — you can’t take the hash and figure out the password.
The software handling the password function should throw the user password away and only the hash gets saved anywhere. When you log on, they add the prefix, calculate the hash and see if it matches. If the hashes get stolen it’s a huge amount of work to try to reverse them, and if they are salted (the prefix) properly it’s almost not possible.
These are ‘best practices’, and I’m sure there are plenty of people at Facebook that know about them. The fact that somebody was able to do this without adult supervision is what is unfortunate.
“The fact that somebody was able to do this without adult supervision is what is unfortunate.”
You can’t expect any actual useful ‘adult supervision’ at fb – it’s fb after all! (another hint is the joker running it – how can he pretend that things happened that he didn’t know/control if they’re locked down too tight?)
This was a particularly egregious cock up but, given the way that other companies have leaked data, there are still extensive opportunities for Facebook to make it worse.
Two big lessons: never trust Facebook with valuable data and never reuse passwords.
I wonder if there’s any screwup Facebook can make that will make their user base abandon them, but considering how much they’ve already done, I think that’s unlikely.
I’ve come to the unsettling conclusion that people just don’t care about privacy in the digital age.
I’m not so sure that people don’t care about privacy; it’s more a matter of there’s no viable alternative.
I joined FB (reluctantly and long after most people had) to have an author presence there. Once I was there, I connected with cousins I hadn’t spoken to in ages, former coworkers, former classmates. They were already there. I could announce that I’m leaving FB today and request they all email me with their news, pictures, videos, etc., but I guarantee most of them wouldn’t. FB makes it so easy to do that kind of thing, they probably wouldn’t bother with an email just for me.
You do realize that someone at Facebook just said “Hold my beer!”
And people still trust them …
Silly people …