This article is more than 1 year old

Let's spin Facebook's Wheel of Misfortune! Clack-clack-clack... clack... You've won '100s of millions of passwords stored in plaintext'

Credentials logged for years is antisocial network's latest Zuck-up

Facebook today admitted it stored "some" of its addicts' account passwords in a plaintext readable format. For "some", read hundreds of millions.

The antisocial network quietly made the mea culpa in a statement that followed its breathless announcement of the Oculus Rift S Virtual Reality headset. The password snafu confession was, as far as we can tell, forthcoming from the Silicon Valley giant only after investigative journalist Brian Krebs blew the lid off the blunder.

Facebook said it realized its error in January, during a security review, and discreetly fixed the problem. Affected users can expect to receive a notification, although the Mark-Zuckerberg-run biz did not state if they would be required to change their password.

Keen to downplay the screw-up, Facebook protested that "these passwords were never visible to anyone outside of Facebook." And as for insiders getting their hands on the credentials? In a not-very-reassuring statement, the creepy ad-slinger asserted: "We have found no evidence to date that anyone internally abused or improperly accessed them."

The snafu affects hundreds of millions of Facebook Lite fans, tens of millions of other Facebook account holders, and tens of thousands of Instagrammers – somewhere between 200 and 600 million total, according to Krebs' sources' estimates.

As users logged in, their passwords were stored in a readable format that could be accessed via internal systems. Basically, it logged the credentials in plaintext, and Facebook engineers were allowed to peruse those logs while looking for bugs and faults, though we're assured no one did anything bad with the sensitive data. This is the same biz that this month lied about how many teens were using its market-research-slash-surveillance app, and has repeatedly lied in the past, so take the statement with a pinch of salt.


In a humiliating climbdown, Facebook agrees to follow US laws


Facebook Lite is the lower-bandwidth version of the platform, ideal for regions without the greatest connectivity. Such as, er, chunks of rural Blighty, for example.

We asked the snuff-flick slinger how long it had been storing passwords in this way, how many employees had access to the data and what controls it had in place to stop the data leaving its hallowed halls. Facebook has yet to reply. We understand at least some of the passwords were logged as early as 2012.

It has not been a great week for the social media giant, coming hot on the heels of an impressive 14-hour outage following a mystery "configuration change" and a quiet shuffling of feet and staring at shoes regarding its ad targeting system and discrimination.

The megacorp has the usual perfunctory advice for those twitchy about security, including not reusing passwords over multiple systems and picking strong and complex character combinations. It also suggests that two-factor authentication could be used.

Or just don't use the thing at all. There's a thought.

And as for the idiot visor announced yesterday, with a resolution quite some way behind HP's Reverb device, which also debuted this week, we suspect that the "S" in Oculus Rift S stands for the same word users will utter when they get their password notification.

Spoiler: it isn't "Super". ®

More about

More about

More about


Send us news

Other stories you might like