The passwords of millions of Facebook users were accessible by up to 20,000 employees of the social network, it has been reported.
Security researcher Brian Krebs broke the news about data protection failures, which saw up to 600 million passwords stored in plain text.
https://twitter.com/xmgz/status/1108969932417458177
Experts Comments Below:
Paul Biscoff, Privacy Advocate at Comparitech:
“Storing passwords in plaintext seems like a rookie mistake for one of the largest internet companies in the world. Hashing and salting passwords so they are not readable and cannot be turned back into a readable format has been standard practice for many years.
Although Facebook says there were no signs of abuse, it seems unlikely that none of the alleged 20,000 employees with access to those passwords even once poked around where they shouldn’t have. Facebook says it won’t require password resets until it does find signs of abuse, but I would recommend changing your account password, anyway. Be sure to use a password that’s at least 12 characters, uses a combination of numbers, symbols, and upper- and lower-case letters, and is unique to your Facebook account.”
Adam Laub, SVP Product Management at STEALTHbits Technologies:
“This is just another example of why password hygiene matters. If compromised, this dataset would have likely led to the identify theft of at a minimum thousands, if not many, many millions of people.”
Colin Bastable, CEO at Lucy Security:
So anyone still relying on Facebook, or any social media business, to guard their passwords and PII data is terminally optimistic.
The bigger picture is that it’s clear that hundreds of millions of consumers value likes, up-votes, faux friends and convenience over privacy.
Millions recycle the same three, four or five passwords between all social media accounts as well as their bank and employer accounts.
With so many passwords and usernames being traded by cybercriminals on the Dark Web, and with so much personal information being voluntarily made public by consumers, businesses must assume that they are vulnerable to attack via their employees’ email and work-time online presence. The employees of third parties such as consultancies also introduce significant risks. Employers large and small should deploy MFA, test and train all staff relentlessly, and have a plan for when they get hacked.”.
Stephen Cox, Chief Security Architect at SecureAuth:
“With the trend of password leakage and the resulting credential misuse on the rise, organizations must evolve and adopt modern approaches to identity security, one that improves security posture but takes care to keep the user experience simple. We need to move beyond the password, and basic two-factor authentication methods, to modern adaptive risk-based approaches that leverage real-time metadata and threat detection techniques to improve end-user trust. The goal should be rendering stolen credentials useless to an attacker.”
Emmanuel Schalit, CEO at Dashlane:
“Although Facebook claims that the internal exposure of these passwords means that they were not compromised, the fact remains that they were not encrypted and exposed for years. Because the impact is still unknown, we would recommend changing your password on Facebook immediately. In fact, all Facebook users should take this opportunity also make sure all of their passwords are strong across all of their accounts. In practice the ideal password is one that is a unique and random string of letters and numbers that can be randomly and securely generated.
“You may not be able to control the security architecture of the digital services you use every day and that hold so much of your data, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the “containment” doctrine. One example is using a password manager with a Password Changer capability, this can be easily done, and used to instantly generate and change your passwords with a single click – ensuring proper and regular cyber hygiene.
“As demonstrated here, you never know when your account may have been exposed and your information vulnerable – regular and proper password hygiene is not just for breaches.”
Sam Curry, Chief Security Officer at Cybereason:
Pravin Kothari, CEO at CipherCloud:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.