A new security flaw has put the passwords of millions of Facebook users at risk, it has emerged.
Facebook stored a database of login details in plain text – and not encrypted – meaning they were searchable by thousands of its employees.
The mistake was revealed by security expert Brian Krebs on his website KrebsOnSecurity, and was confirmed by Facebook shortly after.
‘Hundreds of millions’ of users affected
“Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees – in some cases going back to 2012,” Krebs said.
The number of users affected was estimated at between 200 and 400 million by Krebs’ ‘Facebook source’.
“My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords,” he explained.
Facebook said it discovered the problem for itself during a routine security review at the start of 2019.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” the social media giant said.
Websites that use passwords must store those details somewhere, but usually they’re encrypted in code, so that even if the list was to leak, all potential hackers would see is a jumble of random characters.
But Facebook stored a large number of their passwords in plain text, with no encryption.
Facebook said they would be notifying everyone who may have had their passwords stored insecurely, but “we’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Facebook software engineer Scott Renfro told KrebsOnSecurity.
“These passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
How to change your Facebook password
If you’re still worried, you can change your Facebook password by clicking the arrow in the top-right corner of the page and selecting ‘Settings’.
Then, click on ‘Security and login’, then the ‘Edit’ button next to where it says ‘Change password’.
Choose your new password, before clicking ‘Save Changes’.