The Register nails it, once again.
Let’s spin Facebook’s Wheel of Misfortune! Clack-clack-clack… clack… You’ve won ‘100s of millions of passwords stored in plaintext’
Facebook today admitted it stored “some” of its addicts’ account passwords in a plaintext readable format. For “some”, read hundreds of millions.
The antisocial network quietly made the mea culpa in a statement that followed its breathless announcement of the Oculus Rift S Virtual Reality headset. The password snafu confession was, as far as we can tell, forthcoming from the Silicon Valley giant only after investigative journalist Brian Krebs blew the lid off the blunder.
Why Facebook waited 3 months to disclose its latest privacy screw-up
We reached out to Facebook in an attempt to answer this question, but unsurprisingly received no response as of press time. Troy Hunt, a security researcher perhaps best known for running the breach disclosure site HaveIBeenPwned, was significantly more willing to chat.
“I suspect Facebook decided not to initially disclose the issue as they had no evidence of the data being used maliciously,” he wrote over Twitter direct message. “I can understand that position insofar as whilst the storage was clearly improper, without a compromise of the stored data the impact on customers would have been zero.”
This, of course, assumes that the passwords weren’t improperly accessed. Facebook claims as much in its blog post, but that requires you to trust Facebook. Which, well, you’d be forgiven for not jumping at the opportunity.
They’re all talking about whether these plaintext passwords were accessed by Facebook staff, whether anything malicious happened, but I think they’re missing a question — how did this happen?
Facebook’s own statement:
Or rather, not keeping them secure.
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.
Obviously not designed well enough, because that didn’t happen this time.
[…] In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them.
No it doesn’t.
In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.
Yes yes yes, that’s all well and good, but that didn’t happen this time, because …? Who knows, perhaps they’ll tell us the next time this happens?