Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years ⇥ krebsonsecurity.com

Brian Krebs has the scoop:

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

Shortly after Krebs went live with this report, Facebook acknowledged that they failed at fundamental security practices in a press release titled “Keeping Passwords Secure”, because of course they did. Twitter used basically the same title when they, too, admitted to logging users’ passwords in plain text.

As with Equifax, investors continue to not give one shit about any of these scandals, even as the company is slowly eroding any remaining semblance of care about privacy, security, or basic ethics. As of writing, the company’s stock is up about a dollar for the day, and about $30 since the beginning of the year.