Facebook software meant to disguise user passwords from employee access failed, leaving millions of passwords visible to the network’s employees, the company said on Thursday, March 21. The network said the bug was discovered in a routine review in January and has since been corrected. The bug exposed passwords for users on Facebook, Facebook Lite, and Instagram.
Facebook hasn’t found any evidence that the passwords were compromised externally — the bug only exposed plain text passwords for the company’s employees, according to Facebook. The company also said they haven’t found evidence of internal employees abusing the information. Facebook didn’t say why it delayed telling users after finding the bug in January.
Passwords on Facebook are meant to be encrypted. The network hashes the password, allowing the system to recognize the correct password without storing the data in plain text. To employees working on Facebook’s backend, passwords should look like jumbled characters that can’t be reverse engineered to display the actual password.
Facebook says they will notify the users that were affected by the bug. The company estimates hundreds of millions of Facebook Lite users were affected, the lightweight Facebook app designed for slower connections. Tens of millions of other Facebook users could also have compromised passwords, along with tens of thousands of Instagram users.
Facebook says that hashing is used with other procedures for password protection, like recognizing when a user signs in with a different device and prompting verification. The network says that they also check for other password breaches since users sometimes use the same passwords across multiple websites.
“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,” Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy, wrote in a blog post. “There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.”
Facebook says concerned users can reset their password for both Facebook and Instagram inside the settings for each account. The company also suggests using security keys and two-factor authentication. (Facebook, however, will use your phone number for more than two-factor authentication, so we recommend using a third-party authentication app instead of a phone number.)
For Facebook, the password bug is just another bullet point in the network’s growing list of data issues following the Cambridge Analytica scandal. CEO Mark Zuckerberg recently shared his vision for moving toward a more privacy-focused network following the increased scrutiny over the company’s data practices.