Oh, feet of clay!
Facebook has just admitted that it has found many places – hundreds of millions of places, maybe – where it saved users’ passwords to disk in raw, unencrypted form.
In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as
379f1531753a7c43ab4f4faace212451, anyone looking at the stored data will see the actual password, right there, just like that.
123456789, or that:
mypassword99, or that:
Plaintext passwords used to be commonplace, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years, a bit like drink-driving has become not only a statutory offence but also outright unacceptable on the road.
In other words, it used to be the norm; then it was the thing you only did if you thought you wouldn’t get caught; and today it’s something that gets the book thrown at you, given that it’s so easy to get it right and so risky to get it wrong.
How did Facebook make such a basic mistake?
The good news is that the wrongly stored passwords don’t seem to be part of Facebook’s externally-accessible authentication system.
In other words, the Facebook gateway servers that let outside users log in aren’t festooned with raw copies of everyone’s passwords.
Instead, it looks as though some Facebook programmers have, over the years – back to 2012, according to cybersecurity journalist Brian Krebs – been careless when writing logfile entries.
In other words, instead of securely disposing of password data from memory after it’s been used to verify a login, they’ve allowed that data to stick around for a while, where it’s ended up in one or more logfiles where it simply didn’t need to be recorded, and shouldn’t have been.
It’s OK to keep access data such as username, timestamp, browser type, country and so on…
…but programmers are duty bound to dispose of data carefully and promptly if it isn’t supposed to be stored after it’s served its purpose.
The idea is simple: if you bump password data out of memory the instant that you no longer absolutely require it, then no one else can accidentally leak it later on.
Simply put, you can’t lose data you don’t have.
How bad is this?
Apparently, correctly bumping password data out of memory didn’t always happen in Facebook’s code.
As a detailed audit by Facebook now reveals, littered amongst the ziggabytes of data on its grillions of servers, millions of passwords inadvertently saved to disk where they should never have been.
According to Krebs:
A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
Facebook Lite is a stripped-down flavour of Facebook used in countries where mobile data plans are hard to come by and expensive.
Should I close my Facebook account?
We can’t answer that for you.
Given that the wrongly stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account.
On the other hand, it’s a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step.
In short, we’re not advising you to close your account, but we are suggesting you factor this lapse in coding quality into your overall decision on what to do next.
But you have to decide for yourself. (For what it’s worth, we’re not closing our account.)
Should I change my Facebook password?
It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this.
But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before!), then they are ready for abuse right away.
Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.
So our advice is: dont wait for Facebook; change your password now. (We already did!)
Should I turn on two-factor authentication?
We’ve been urging you to do this everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.
If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.
So we say: turn on 2FA now. (We did it ages ago!)
The short version
- Change your Facebook password now. Don’t wait for Facebook to contact you.
- Turn on 2FA if you haven’t already. It’s a small inconvenience for a big jump in security.
Then you can figure out whether you want to ditch your account, without making a snap decision you might later regret.