Oh, feet of clay!
Facebook has just admitted that it has found many places – hundreds of millions of places, maybe – where it saved users’ passwords to disk in raw, unencrypted form.
In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as
379f1531753a7c43ab4f4faace212451, anyone looking at the stored data will see the actual password, right there, just like that.
123456789, or that:
mypassword99, or that:
Plaintext passwords used to be commonplace, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years, a bit like drink-driving has become not only a statutory offence but also outright unacceptable on the road.
In other words, it used to be the norm; then it was the thing you only did if you thought you wouldn’t get caught; and today it’s something that gets the book thrown at you, given that it’s so easy to get it right and so risky to get it wrong.
How did Facebook make such a basic mistake?
The good news is that the wrongly stored passwords don’t seem to be part of Facebook’s externally-accessible authentication system.
In other words, the Facebook gateway servers that let outside users log in aren’t festooned with raw copies of everyone’s passwords.
Instead, it looks as though some Facebook programmers have, over the years – back to 2012, according to cybersecurity journalist Brian Krebs – been careless when writing logfile entries.
In other words, instead of securely disposing of password data from memory after it’s been used to verify a login, they’ve allowed that data to stick around for a while, where it’s ended up in one or more logfiles where it simply didn’t need to be recorded, and shouldn’t have been.
It’s OK to keep access data such as username, timestamp, browser type, country and so on…
…but programmers are duty bound to dispose of data carefully and promptly if it isn’t supposed to be stored after it’s served its purpose.
The idea is simple: if you bump password data out of memory the instant that you no longer absolutely require it, then no one else can accidentally leak it later on.
Simply put, you can’t lose data you don’t have.
How bad is this?
Apparently, correctly bumping password data out of memory didn’t always happen in Facebook’s code.
As a detailed audit by Facebook now reveals, littered amongst the ziggabytes of data on its grillions of servers, millions of passwords inadvertently saved to disk where they should never have been.
According to Krebs:
A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
Facebook Lite is a stripped-down flavour of Facebook used in countries where mobile data plans are hard to come by and expensive.
Should I close my Facebook account?
We can’t answer that for you.
Given that the wrongly stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account.
On the other hand, it’s a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step.
In short, we’re not advising you to close your account, but we are suggesting you factor this lapse in coding quality into your overall decision on what to do next.
But you have to decide for yourself. (For what it’s worth, we’re not closing our account.)
Should I change my Facebook password?
It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this.
But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before!), then they are ready for abuse right away.
Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.
So our advice is: dont wait for Facebook; change your password now. (We already did!)
Should I turn on two-factor authentication?
We’ve been urging you to do this everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.
If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.
So we say: turn on 2FA now. (We did it ages ago!)
The short version
- Change your Facebook password now. Don’t wait for Facebook to contact you.
- Turn on 2FA if you haven’t already. It’s a small inconvenience for a big jump in security.
Then you can figure out whether you want to ditch your account, without making a snap decision you might later regret.
10 comments on “Change your Facebook password now!”
Don’t “change your password”! Get rid of that $#!+ now. Delete Facebook and take back your life.
Have they corrected the problem? If not, changing your password my be premature if the new password is being handled the same way the old password was handled.
Well, Facebook knows what to look for now, and is looking pretty darn hard, sso I’d back their security team to be fixing this pretty quickly, albeit not all at once. In other words: why not change your password _now_ to invalidate any existing copies of it, given that the current leakage has been going on in various places for a while?
There’s nothing to stop you changing it again in two weeks if you are still worried then… but why wait for those two weeks before neutralising what you might call ‘the leakage risk so far’?
Waiting to change your password now is like putting off important maintenance on your car because you’d only start wearing out the new brake pads right away, so why not wait until the current pads are so far gone you can hear metal on metal and can’t brake at all…
the personal issues with facebook outweigh any personal benefits
the societial issues with facebook outweigh any societal benefits
Those with facebook accounts should just delete all their data and then close their accounts (you can live without facebook)
Those without facebook can just be thankful they never got involved
If that’s really what you think, you should probably have deleted your Facebook account some timw ago – if what you’re worried about is limited to “personal and social” issues, then you surely already have more than enough evidence to decide one way or the other without even taking this issue into account?
2fa is great BUT I’m not keen on given FB my phone number.
You don’t have to. As mentioned above, you can use an app-based authenticator – they work offline once set up, and you don’t need a phone number – to generate your one-time login codes. Sophos Mobile Security, as it happens (see the “Free tools” ribbon above) includes an authenticator…
Who in their right mind uses Fakebook? I block the hypocrite robot Zuckerberg’s intrusions.
I got rid of all non-anonymous, social accounts years ago. Feels good. Besides, LifeLog is just way too intrusive and dishonest. Did I say LifeLog? I mean..Facebook. Meh, same thing.
I felt like changing the password of my Facebook is a tough job until I got to know about this article. As I am the new user of facebook I got very little knowledge and idea about facebook. So after reading this article, I got to know so many things about Facebook. Thank you so much for writing this article. I really appreciate your work. Great job.