About a month ago, Facebook owned up to a programming blunder that’s been a top-of-the-list coding “no-no” for decades.
The social networking behemoth admitted that it had been logging some passwords in plaintext, saving a record of exactly what your password was, character by character, rather than just keeping a cryptographic hash used for verifying that your password was correct.
Well, it’s just updated its March 2019 admission to state that the number of plaintext passwords found scattered round its systems in various logfiles is greater that originally thought.
Back in March, the damage was said to involve hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users, but yesterday the company updated its bulletin to say:
Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.
Simply put, the chance that your Instagram password was stored somewhere in a logfile, somewhere in Facebook’s network, turns out to be 100 times greater than you might have thought last month.
Should you be worried?
We didn’t get an alert about either our Instagram or Facebook password having been affected back in March 2019, but we followed our own advice and changed our password anyway, so we’re not worried about this new announcement.
If anyone at Facebook had been able to retrieve our password from somewhere in Facebook’s sea of data – and we suspect they’d have gone directly after all our other data anyway, rather than bothering to log in with our account – then that old password is valueless now.
We’ve also had two-factor authentication (2FA) turned on for ages, and we are in the habit of logging out formally from both Facebook and Instagram, on both our laptop and our mobile phone, on a regular basis.
Regular logouts are mildly annoying, given that we have to log back in using both our password and 2FA code, but we think it’s a small price to pay to make life harder for the crooks.
It also gets us in the habit of checking through the “who logged in from where and on which device” logs regularly, which gives us a better chance of spotting wrongdoing against our account.
So, once again, we’re not panicking, and we’re not advising you to close either your Facebook or your Instagram account – at least, not on this basis alone.
To repeat our advice from last time:
Should you close your Instagram account?
We can’t answer that for you.
Given that the wrongly stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account.
(For what it’s worth, we’re not closing ours.)
Should your change your Instagram password?
It’s highly unlikely that any passwords were acquired by any crooks as a result of this, but if any plaintext passwords do end up in the wrong hands, you can be sure that the crooks will try them out right away.
So our advice is: don’t wait for Facebook or Instagram to warn you – change your password now.
(We already changed ours, back in March 2019 when the first warning came out.)
Should you turn on two-factor authentication?
We’ve been urging you to do this everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.
(We did it it ages ago.)
Watch our advice video
Here’s the special edition of Naked Security Live that we presented back in March 2019 – all the advice we give in this video is still relevant, and covers a range of questions, including:
- What happened?
- Was this a blunder or was Facebook being deliberately sneaky?
- Should I close my account because of this?
- What steps should I take right now?
(Watch directly on YouTube if the video won’t play here.)
5 comments on “Facebook: we logged 100x more Instagram plaintext passwords than we thought”
‘Should you turn on two-factor authentication’?
And give them another piece of personal information to log and share as their will dictates???????
If you mean your phone number… you don’t have to hand it over if you don’t want to. From the instagram setup page: “We’ll send a text message … or you can use the security app of your choice.” (Sophos Mobile Security is free and includes an authenticator.)
Thanks Paul, I will look into that.
My response referred primarily to a phone number. Before the recent revelation of them being ‘shared’ Facebook continuously reminded me to add it and use it to authenticate.
I gave Facebook my phone number ages ago for 2FA – I figured the benefits outweighed the risk – and as far as I can tell nothing bad has come of it. I now have the choice to use that number or a time-based authentication code for both FB and IG (they can be different, as far as I can see, if that’s what you want).
The scary part is, these are the known unknowns, what they admit to. Which in normal business “oops” means there is a hella lot more of these. On the bright side, with everyone being encouraged to make better passwords, how else will the new password list get made for the spy agencies. (yeah I gagged while typing the last line)