The social network says that the passwords were never exposed externally and that it found no abuse of the glitch
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Pedro Canahuati, Facebook’s Vice President for Engineering, Security, and Privacy, wrote in a statement on Thursday.
The flaw is estimated to have affected passwords for “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”.
Importantly, the social media giant said that the passwords were never exposed to anyone outside the company and that it detected no abuse of the bug.
Meanwhile, a report by security journalist Brian Krebs, released before Facebook’s statement, sheds a little more light on the issue.
Citing a senior Facebook employee, Krebs wrote that up to 600 million people may have been affected by the bug, which left their passwords searchable by more than 20,000 Facebook employees. At least some of the passwords were said to be stored insecurely – that is, without being salted and hashed – as early as 2012.
“My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords,” wrote Krebs. He said that the issue saw Facebook engineers design internal applications that inadvertently logged unencrypted passwords.
Facebook said in the statement that it will notify all users affected by the bug, but won’t require them to change their passwords.
In this context, Krebs quoted Facebook software engineer Scott Renfro as saying that the company aims to force password resets only “in cases where there’s definitely been signs of abuse”. This, per Facebook, isn’t the case here.