SAN FRANCISCO: Facebook said ON Thursday that it stored millions of its users’ passwords in plain text for years.
The acknowledgement from the social media giant came after a security researcher posted about the issue online.
“Security rule 101 dictates that under no circumstances passwords should be stored in plain text, and at all times must be encrypted,” said cybersecurity expert Andrei Barysevich of Recorded Future. “There is no valid reason why anyone in an organisation, especially the size of Facebook, needs to have access to users’ passwords in plain text.”
Facebook said there is no evidence its employees abused access to this data. But thousands of employees could have searched them. The company said the passwords were stored on internal company servers, where no outsiders could access them. But the incident reveals a huge oversight for the company amid a slew of bruises and stumbles in the last couple of years.
The security blog KrebsOnSecurity said some 600 million Facebook users may have had their passwords stored in plain text.