Facebook may have just failed one of its first tests since announcing its “pivot to privacy.” On Thursday, Brian Krebs reported that Facebook had been storing hundreds of millions of user passwords in plain text on internal company servers. These passwords were searchable by more than 20,000 Facebook workers, though the company says there’s currently no evidence that any employees accessed or used the passwords in any improper way.
Even if no harms came of this vulnerability, which was far more likely the result of carelessness than malice, this is a big deal. The whole point of a password, after all, is that it’s kept secret so that other people can’t access your account. It’s why we trust Facebook as a place to have deeply personal conversations, make business deals, plan protests, stalk our crushes, join private discussion groups on sensitive topics, use credit cards, and communicate under our own names. Vulnerabilities happen to every company like Facebook. The way to maintain trust is to disclose them, which Facebook didn’t do until after Krebs published his report.
But what makes this news most worrisome is the group of Facebook users who were primarily affected. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” Pedro Canahuati, Facebook vice president of engineering, security, and privacy, wrote in a Thursday blog post unironically titled “Keeping Passwords Secure.” Facebook Lite is a Facebook app that’s primarily designed for users in areas with limited data and unreliable internet connections; a very large chunk of those users live in less affluent countries. For many, using the internet over their phone and via Facebook may be their primary way of getting online and doing business. They’re among the neediest Facebook users, and it now looks like the company was particularly careless with their privacy.
There are a few ways Facebook monitors for suspicious activity in case someone does use someone else’s password to get into their account. If an account is accessed by an unrecognized device, Facebook may ask an additional security question. That’s great—just be sure that your Facebook password and email password aren’t the same, since if you don’t know your security questions, you can probably try to just change your password by sending a reset link to your email. Facebook also checks newsworthy data breaches affecting other information to see if emails and passwords match with users’ Facebook logins. If it does, Facebook prompts those users to change their passwords. That’s also great. This is different, because these passwords were exposed on Facebook servers—a relative comfort only if you trust every person who works at Facebook. CEO Mark Zuckerberg’s recent announcement that his company would pivot to emphasize encrypted communication wouldn’t really solve much here. If your password is treated flippantly by a platform—no matter if the messages in your account are sent using end-to-end encryption—a malicious actor could get in.
The company said in the blog post that it first discovered the problem in January and that it’s now fixed. It’s now March—and while Facebook attributed the delay to “the scattered nature of the problem,” it still means Facebook knew for two months that its users’ passwords were sitting on a company server available for the plucking and said nothing. Instead, a reporter made the information public, and then Facebook gave its version of what happened.
It is encouraging to hear Facebook executives talk so much these days about the importance of privacy. Telling users about issues like this before someone else does would make their rhetoric a lot more convincing.