Facebook admitted last month that it has been storing passwords for Facebook, Facebook Lite and Instagram users in plaintext since 2012. While the unencrypted passwords were not accessed by a malicious actor, about 2,000 Facebook engineers and developers had the ability to view these users’ login credentials. Facebooks initial estimates stated that “hundreds of millions” of Facebook users and “thousands” of Instagram users were affected. However, Facebook waited until the Mueller report dropped yesterday to announce that “millions” of Instagram passwords were exposed in its password-related security incident last month, instead of the initial estimate of “tens of thousands.”
Facebook has also announced this week that it has harvested the email contact lists for 1.5 million of its users by asking for the email passwords for existing users’ accounts in 2016.
Social Media Reaction:
Beyond the security sin of asking 1.5 million people to reveal the passwords to their email accounts, Facebook then used those credentials to secretly suck up all their email contacts: https://t.co/6jW8ltPvfo
— Kashmir Hill (@kashhill) April 18, 2019
"A security researcher recently noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts."
Obviously an evil move by Facebook, but how stupid do you have to be to do that.
— Michael Krieger (@LibertyBlitz) April 18, 2019
Story only gets worse: Two weeks ago, @Facebook was demanding users enter their email passwords. Now it appears FB was actually copying those users’ entire contact lists. In #SBBlogwatch at @securityblvd, @RICHI loses count of all the Facebook scandals: https://t.co/aMV0duHK1v
— Richi Jennings @richi@vmst.io / @richi.bsky.social (@RiCHi) April 18, 2019
Experts Comments:
Ben Goodman, VP of Global Strategy and Innovation at ForgeRock:
Despite the arguably poor security hygiene and the collection of users’ email contacts without their consent, the company has stated that no passwords were exposed externally and that it has no evidence of any of this information being abused to date. If any of the passwords and other login credentials were to have been exposed, malicious actors could have taken over more than a user’s Facebook or Instagram accounts. People tend to reuse passwords across multiple accounts, meaning that if one set of login credentials are exposed, the individual can become highly susceptible to accounts with much more sensitive information being hijacked such as banking, healthcare and even government portals. Social media accounts are also a treasure trove of personal data that if compromised can be used for social engineering, synthetic identity creation and account take overs.
Facebook and Instagram users should strongly consider changing their passwords to something strong and unique that they do not use on other accounts, as well as enabling multi-factor authentication (MFA). MFA will prompt users to verify their identities incase an account’s credentials do happen to become compromised. Other companies should also strongly consider the use of MFA and behavioral analytics solutions which can the detect and prevent the use of these compromised credentials and data against them.”
Pravin Kothari, CEO at CipherCloud:
Individuals and organizations should take the following steps to better protect the privacy of their data: use common sense on the application and they data they ask for before granting access to your information. Delink your connection to applications you are uncertain about. Be careful about clicking on links to Phishing emails – often disguised as emails from your Bank or Credit card site. Call the number of your card or launch the site on a new browser if you’re not sure. Encrypt your personal data in the cloud and keep your encryption keys with you. Never store your keys and data in the same cloud. Use your rights management with shared documents so no one else can access them.”
Sam Curry, Chief Security Officer at Cybereason:
Jake Moore, Security Specialist at ESET:
Using a unique password is one step towards better protection just in case any of your passwords are leaked or phished by increasingly more sophisticated attackers. Further still, multifactor authentication is an even stronger way to help protect against attacks which use your phone as another form of verification.
It just goes to show that however big or small the company is, mistakes can occur at the detriment of your password, so if there’s one thing you do different today, make sure you download and start using a password manager app.”
Brian Vecci, Field CTO at Varonis:
.
Tim Mackey, Senior Technical Evangelist at Synopsys: