The passwords of millions of Facebook users were accessible by up to 20,000 employees of the social network, it has been reported.
Security researcher Brian Krebs broke the news about data protection failures, which saw up to 600 million passwords stored in plain text.
https://twitter.com/xmgz/status/1108969932417458177
Experts Comments Below:
Paul Biscoff, Privacy Advocate at Comparitech:
“Storing passwords in plaintext seems like a rookie mistake for one of the largest internet companies in the world. Hashing and salting passwords so they are not readable and cannot be turned back into a readable format has been standard practice for many years.
Although Facebook says there were no signs of abuse, it seems unlikely that none of the alleged 20,000 employees with access to those passwords even once poked around where they shouldn’t have. Facebook says it won’t require password resets until it does find signs of abuse, but I would recommend changing your account password, anyway. Be sure to use a password that’s at least 12 characters, uses a combination of numbers, symbols, and upper- and lower-case letters, and is unique to your Facebook account.”
Adam Laub, SVP Product Management at STEALTHbits Technologies:
“If everyone leveraged strong, unique passwords and changed them frequently, this type of news might not be treated quite the same. However, in all likelihood, whether these passwords were around for 10 minutes or 10 years, the username and password combinations would still be valid. If not on Facebook, then almost assuredly on some other site.
“This is just another example of why password hygiene matters. If compromised, this dataset would have likely led to the identify theft of at a minimum thousands, if not many, many millions of people.”
Colin Bastable, CEO at Lucy Security:
“We keep hearing that encryption will fix the problems of cyber insecurity – but this surely demonstrates why that is a pipe dream. Someone decided to leave these passwords in the clear, probably for convenience. People can always find a reason not to deploy encryption, and all it takes is one weak link to break the chain of trust.
So anyone still relying on Facebook, or any social media business, to guard their passwords and PII data is terminally optimistic.
The bigger picture is that it’s clear that hundreds of millions of consumers value likes, up-votes, faux friends and convenience over privacy.
Millions recycle the same three, four or five passwords between all social media accounts as well as their bank and employer accounts.
With so many passwords and usernames being traded by cybercriminals on the Dark Web, and with so much personal information being voluntarily made public by consumers, businesses must assume that they are vulnerable to attack via their employees’ email and work-time online presence. The employees of third parties such as consultancies also introduce significant risks. Employers large and small should deploy MFA, test and train all staff relentlessly, and have a plan for when they get hacked.”.
Stephen Cox, Chief Security Architect at SecureAuth:
“The discovery is just another indication that our continued reliance on passwords is not sustainable and fails consumers. Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape. Not only are many organizations using poor hygiene when storing passwords, a large portion of these passwords are already widely available on the dark web due to previous massive breaches. The reality is that people reuse passwords across multiple websites and password leaks can have far reaching consequences.
“With the trend of password leakage and the resulting credential misuse on the rise, organizations must evolve and adopt modern approaches to identity security, one that improves security posture but takes care to keep the user experience simple. We need to move beyond the password, and basic two-factor authentication methods, to modern adaptive risk-based approaches that leverage real-time metadata and threat detection techniques to improve end-user trust. The goal should be rendering stolen credentials useless to an attacker.”
Emmanuel Schalit, CEO at Dashlane:
“Passwords are to the digital age, what seatbelts were to the auto industry. They protect your identity, finances, and other critical personal information now that most of this information resides in the Cloud.
“Although Facebook claims that the internal exposure of these passwords means that they were not compromised, the fact remains that they were not encrypted and exposed for years. Because the impact is still unknown, we would recommend changing your password on Facebook immediately. In fact, all Facebook users should take this opportunity also make sure all of their passwords are strong across all of their accounts. In practice the ideal password is one that is a unique and random string of letters and numbers that can be randomly and securely generated.
“You may not be able to control the security architecture of the digital services you use every day and that hold so much of your data, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the “containment” doctrine. One example is using a password manager with a Password Changer capability, this can be easily done, and used to instantly generate and change your passwords with a single click – ensuring proper and regular cyber hygiene.
“As demonstrated here, you never know when your account may have been exposed and your information vulnerable – regular and proper password hygiene is not just for breaches.”
Sam Curry, Chief Security Officer at Cybereason:
“Passwords in a flat file for anyone to read?! Are you kidding me? Give me a break! Everyone, including Facebook, have tech debt and security debt that piles up. But that’s not an excuse any longer.Facebook is starting to look like critical social infrastructure, where there responsibility is to the public. It’s past time to go back and clean the skeletons out of the closets. How can we trust this platform to get bigger and get more connected under the hood if they can’t do the basis blocking and tackling right? Facebook needs a security strategy for the 21st century not the 20th century. “
Pravin Kothari, CEO at CipherCloud:
“Personal information such as passwords should be encrypted and protected, absolutely never stored in the clear. With all of the emerging regulations on data protection and privacy of individuals, such as EU GDPR (The General Data Protection Regulation) and California Consumer Privacy Act of 2018 which takes effect in 2020, exposing such PII data may open the organization to violations and penalties.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.