During a security review in January, Facebook found that the passwords were stored in a readable format, against its security procedures, but that they were never visible to anyone outside of the company.
Facebook Inc. disclosed a flaw on its social network that made passwords of hundreds of millions of users visible to employees and said the issue has now been fixed.
Most of the accounts affected were using Facebook Lite, a version of the app designed for emerging markets. The company said it hasn’t found evidence this access was abused.
Facebook disclosed the problem after the security blog KrebsOnSecurity learned about it from an internal source. Krebs said the issue dated back to 2012 in some cases.
How We Protect People’s Passwords
In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them. In security terms, we “hash” and “salt” the passwords, including using a function called “script” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.
Because we know that people may share, reuse or have their passwords stolen, we’ve built security measures to help protect people’s accounts:
We use a variety of signals to detect suspicious activity. For example, even if a password is entered correctly, we will treat it differently if we detect that it is being entered from an unrecognized device or from an unusual location. When we see a suspicious login attempt, we’ll ask an additional verification question to prove that the person is the real account owner.
People can also sign up to receive alerts about unrecognized logins.
Knowing some people reuse passwords across different services, we keep a close eye on data breach announcements from other organizations and publicly posted databases of stolen credentials. We check if stolen email and password combinations match the same credentials being used on Facebook. If we find a match, we’ll notify you next time you log in and guide you through changing your password.
To minimize the reliance on passwords, we introduced the ability to register a physical security key to your account, so the next time you log in you’ll simply tap a small hardware device that goes in the USB drive of your computer. This measure is particularly critical for high-risk users including journalists, activists, political campaigns and public figures.
Securing Your Account
While no passwords were exposed externally and we didn’t find any evidence of abuse to date, here are some steps you can take to keep your account secure:
You can change your password in your settings on Facebook and Instagram. Avoid reusing passwords across different services.
Pick strong and complex passwords for all your accounts. Password manager apps can help.
Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you.
To advertise, please contact our advertising team here: Advertise with us.