The privacy issues never seem to end for Facebook. The company has been embroiled in a string of troubles since 2017, the latest of which is a massive password security breach. The Facebook password leak of early 2019 appears to have exposed user’s plaintext passwords to company employees.

At the moment, the best available information indicates that the passwords of between 200 and 600 million Facebook users were exposed. About 20,000 Facebook employees potentially had access to these passwords in plaintext, and this appears to have been ongoing since 2012.

How did the Facebook password leak happen?

The information was leaked to Brian Krebs on March 21 by an anonymous source claiming to be a Facebook employee. The Facebook password leak was confirmed by the company an hour after it began appearing in the media.

The security lapse consists of a database of hundreds of millions of plaintext user passwords, widely accessible to Facebook staff. It is estimated that around 20,000 company employees had access to the Facebook password leak, but the whistleblower enclosed data indicating that about 2,000 Facebook employees have run about nine million queries on the database since it first appeared in 2012. The company claims that employees no longer have access to this database.

How did this Facebook password leak come about? Krebs is reporting that certain company employees created internal apps able to log unencrypted passwords, and these passwords were being stored automatically in a massive database. Facebook security engineer Scott Renfro claims that this was an inadvertent side effect of other work, and that the company’s internal investigation has not yet revealed any misuse of user data. It’s still very unclear as to how intentional all of this was and whether any Facebook employee abused or improperly accessed this information.

What’s the fallout?

The internal investigation of the Facebook password leak is still ongoing, but right now the company is estimating that up to about one-quarter of its user base potentially had their passwords exposed in the database. The company has opted to notify hundreds of millions of affected users individually rather than implement a site-wide forced password reset.

The incident seems to mostly be tied to Facebook Lite, a stripped-down Android app meant for users who have older mobile devices or a slow internet connection. This app is most commonly used in India and the United States. Facebook estimates that the vast majority of the compromised passwords are those of users who had logged in with Facebook Lite at least once. However, the company did state that they are contacting millions of other Facebook users and tens of thousands of Instagram users about exposed passwords in addition to the hundreds of millions of Facebook Lite users.

It’s very possible that the Facebook password leak is simply a logging error, as the company claims. If true, that would greatly minimize the potential for damage. However, Facebook users still have to consider that roughly half of the companies employees may have been able to look up their password since 2012.

This incident also requires some reading between the lines. Facebook appears to have discovered this data breach internally back in January during a routine security review, but sat on it and did not begin contacting users until the whistleblower came forward last week. It is also important to note that the investigation is ongoing. The numbers put forward thus far are Facebook’s initial estimates. We have seen any number of similar incidents in the past in which numbers inflated sharply over a period of weeks or months following the initial report.

Facebook will be contacting users whose passwords were exposed directly, but it’s prudent for anyone with a Facebook account to take some added security steps in light of this news. At minimum, a password change is probably a good idea. As Paul Ducklin, Senior Technologist at Sophos observed: “If any passwords did get into the wrong hands … then you can expect them to be abused. Plaintext passwords are the real deal without any further hacking or cracking needed.”

Ducklin also suggests that any users who do not have two-factor authentication (2FA) should use the Facebook password leak as a prompt to do so. “It means that a password alone isn’t enough for crooks to raid your account. If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.”

Closing your account is an extreme measure that Ducklin does not recommend based on what we know about the Facebook password leak at this time – at least not unless you’re well and truly fed up with the service. “Given that the wrongly-stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account. On the other hand, it’s a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step. In short, you have to decide for yourself.”

As if it needed to be said again: Don’t reuse passwords

The foolhardiness of recycling login credentials between different accounts has been demonstrated over and over by various hacks and data breaches over the past decade. This recent Facebook password leak is just another example. Passwords may not even need to be hacked to be compromised; all it takes is some rogue employees in combination with passwords stored in a readable format, and this type of internal violation can go undetected for years.

Paul Bischoff, privacy advocate at Comparitech.com notes: “Although Facebook says there were no signs of abuse, it seems unlikely that none of the alleged 20,000 employees with access to those passwords even once poked around where they shouldn’t have. Facebook says it won’t require password resets until it does find signs of abuse, but I would recommend changing your account password, anyway. Be sure to use a password that’s at least 12 characters, uses a combination of numbers, symbols, and upper- and lower-case letters, and is unique to your Facebook account.”

While end users are becoming increasingly educated about password security, there is still a very broad perception that big companies like Facebook will at least protect one’s password internally. Additionally, even people who are familiar with cybersecurity principles often believe that company employees do not have access to their plaintext passwords. The news of this Facebook lapse will likely shake these views; what should companies be doing to restore customer confidence?

Felix Rosbach, product manager at data protection specialists comforte AG, points out that while Facebook may well have simply committed a technical blunder here their security practices were still not excusable: “From legacy databases with fixed record lengths making hashing impossible to dependencies of various enterprise applications, there are many reasons for companies to store passwords in clear text or in a reversible format … companies have to make sure that passwords are protected in an irreversible, non-readable format. With modern protection mechanisms like irreversible tokenization even legacy infrastructure is not an excuse anymore.”

Another bad look for Facebook – More fuel on the antitrust fire?

As mentioned, it’s very possible that this was a technical error. One that really isn’t excusable given Facebook’s position and the highly-paid expertise they have in house, but not necessarily something that was done with bad intent.

However, it’s tough to give the social network the benefit of the doubt at this point. Facebook has been making moves that warrant scrutiny and caution since the very beginning, when founder Mark Zuckerberg used user passwords from the original incarnation of his site to hack into email accounts at The Harvard Crimson.

2020 presidential candidate Elizabeth Warren recently proposed breaking up big tech companies like Facebook on the basis of competition law, something that has already been brought to bear (in a much more limited way) in Germany and has been discussed in other EU nations. The effective result of her proposal would be that big tech outfits with more than $25 billion in annual revenue would have to spin off various services and acquired companies as independent entities. Some mergers, such as Facebook’s acquisition of Instagram, would be forcibly reversed.

Facebook #dataleak has exposed up to 600M user's plaintext passwords and appears to have been ongoing since 2012. Will this add more fuel on the #privacy fire? Click to Tweet

This sort of talk is new to the American political landscape and Warren’s proposals are the first serious ones of this nature for the 2020 race. It remains to be seen how much traction these ideas will get, but other Democrat challengers (such as Amy Klobuchar and Bernie Sanders) have signaled willingness to regulate tech companies in this way.