James Thew - Fotolia
Hundreds of millions of Facebook passwords were exposed within the company, sparking a debate among infosec experts over whether it was a simple mistake or an example of bad-faith actions by the company.
Facebook Thursday admitted that hundreds of millions of user passwords were stored in plaintext within the company's network.
"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems," wrote Pedro Canahuati, vice president of engineering, security and privacy at Facebook, in a blog post. "To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users."
The Facebook disclosure came on the heels of a report by infosec journalist Brian Krebs that said "between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees," and, in some cases, the plaintext passwords were exposed as far back as 2012.
Some experts, like Troy Hunt, security researcher and founder of Have I Been Pwned, said there doesn't appear to be much risk to users at this point.
"Frankly, without evidence of exposure of the captured passwords, the risk of this is low," Hunt said via email. "Something else would have had to have gone badly wrong for this to have had any impact (i.e. captured data exposed to an unauthorised party)."
Alec Muffett, an infosec consultant and former Facebook software engineer, tweeted in defense of Facebook's password security.
"Facebook's password hashing is state of the art -- as I presented on FB's behalf at #Passwordcon in 2014 -- so password security is taken EXTREMELY seriously, and this is clearly a goof," Muffett tweeted. "Facebook do have frameworks, generally very-well-policed frameworks, for preventing sensitive stuff from being logged. The reported incident sounds bad & should clearly not have happened, so I am baselessly going to presume some failure-to-check in the logging mechanism."
Others, like Joseph Perry, director of research at infosec training and development firm Cybrary, said we must consider the length of time the passwords were exposed and the scale of the problem.
"The passwords being stored in plaintext is absurd on an almost cosmic scale, but the real issue at hand is the fact that it took this long to discover. A database of millions of passwords is not a small thing," Perry said. "This wasn't some database admin who just screwed up a configuration and forgot about it. This data set existed for years without anyone raising red flags. Facebook's security measures and internal controls are insufficient to prevent what is fundamentally a terrifying breach of trust."
Rebecca Herold, CEO of Privacy Professor, said even internally exposed Facebook passwords are a significant problem, and that it is "an indicator that there could be some other significant security vulnerabilities within the Facebook environment."
"Throughout the many risk assessments I've performed, wherever there were problems with the security of passwords, there were usually significant other security problems, as well," Herold wrote in an email. "Facebook would be wise, if they are confident of their information security practices, to have an objective third party perform a risk assessment and communicate the overall results publicly. Otherwise, it seems they are trying to hide their security problems."
Possible insider threats
Another point of debate surrounding the issue is the potential risk of an insider threat inappropriately using the plaintext Facebook passwords. Facebook hasn't had any known insider threats in the past, but Perry noted that might not mean much.
"It's true that Facebook has no serious history of insider threats; but on the other [hand], one of the reasons insider threat is such a danger is because it's prohibitively difficult to detect," Perry said. "That sounds tinfoil hat, but the entire point of defense in depth is to handle the fundamental fact that we simply can't identify all potential threats. The lack of [an] identified insider threat doesn't in any way discount the danger inherent to this access."
Herold agreed, saying that "any organization with more than one employee has an internal threat issue," and adding that the issue could extend beyond Facebook employees.
"Remember, they are a largely unregulated entity. They aren't required to report when their own employees do bad things, unless it falls under the definitions of the various applicable breach notice laws, and other applicable laws, of which few are currently covering employees' access to personal data," Herold wrote.
"Actually, all those third parties that Facebook has notoriously given access to user profiles, accounts, posts, etc. is a type of insider threat. The threat of 1) lack of acceptable controls on their third parties, and 2) as business partners, those entities are insiders, who had extensive access to far more than they ever should."
The timing of the Facebook disclosure
Making the situation more complex, Facebook admitted in its blog post that it first discovered the plaintext passwords "as part of a routine security review in January," meaning the company knew about the exposure for three months before disclosing it. Additionally, Facebook said it "will be notifying everyone whose passwords we have found were stored in this way," implying the company has not yet started notifying affected users.
Hunt said although it may not reflect well on Facebook, he understands the decision to not disclose or notify users right away.
"I can imagine why they perhaps didn't think this was worth initially disclosing because there hasn't been any impact to customers. On the other hand, it's the sort of thing that if leaked would make them look rather foolish so with the benefit of hindsight, they probably should have gotten on the front foot with this like Twitter and GitHub did last year," Hunt said. "Notifying all impacted users feels very much like one of those 'abundance of caution' things. If there was no actual impact on customers, I can understand why they may have chosen not to disclose, it's just not particularly good optics, as they'd say."
Herold said Facebook's decision to not notify users was "disappointing, but not surprising." The delay in Facebook's disclosure was another example of the company "not making any security concerns public until they are forced to do so," she said.
"If I was a shareholder, I'd be very concerned about the opaque manner in which Facebook communicates their cybersecurity practices," Herold said. "If they have sat on knowing about this security risk for the past three months, then they certainly won't rush to communicate more than they are compelled to do. And, since, from what has been reported, the cleartext passwords in storage does not meet the requirements for breach notifications for most (all?) breach notice laws, they are likely trying to decide how to communicate the information, with as little reputational impact as possible."
Perry called this another example of Facebook's "history of bad-faith and insufficient transparency."
"The fact that they've concealed this breach for months is yet another straw on the back of an already broken camel," Perry said. "This is yet another case of bad faith from a tech giant which relies upon functional monopoly in order to avoid legitimate consequences."