After a whistle blower leaked the news to journalist Brian Krebs, who announced it on his blog, Facebook officially admitted that it has stored hundreds of millions of user passwords without encryption for the past seven years.
Coming a couple weeks after Mark Zuckerberg made a splashy announcement about the company’s big pivot to encryption, this incident may turn his splash into a belly flop. Of all Facebook’s security and privacy blunders in the past couple years, this one is the most puzzling and infuriating.
It appears Facebook violated five fundamental tenets of data security:
Never store passwords in plaintext. Industry best practice stores passwords as salted hashes. Facebook says they normally do this, but somehow these passwords fell through the cracks.
Never log passwords. It appears these plaintext passwords were found in archived logs.
Review internal code and systems regularly. Facebook says the passwords were discovered through a “routine security review”, yet reviews for the past seven years didn’t find them.
Limit privileged system access to as few people as possible. Facebook says 20,000 engineers and developers had access to these unencrypted passwords.
Report breaches of sensitive personal information promptly. Facebook didn’t notify anyone about this situation for three months, until a whistle blower forced the issue.
Facebook bashing is a popular pastime in the security community, but I’ve tried not to pile on.
I’ve met Facebook’s data security team. They’re good, hard working folks operating in a challenging environment. But this is a perfect storm of mistakes that needs to be explained.
Facebook should publicly explain why these passwords were logged or stored in plaintext, why seven years of security reviews failed to detect them, why access reviews failed to limit developer access to them, and why the incident wasn’t reported promptly once it was confirmed.
Facebook should also identify improvements they plan to make to their internal systems, procedures, and company culture to prevent this from happening again. After several years of embarrassing missteps, they are dangerously close to permanently losing trust and credibility with the public.
UPDATE 7/24/2019: Facebook was fined a record five billion dollars by the FTC for privacy violations. Its Board of Directors is also required to form a privacy committee to oversee Zuckerberg's team.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.