Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Facebook Password Breach: What You Need to Know


Written by Terence Jackson

March 22nd, 2019

Yesterday Facebook disclosed during a routine security review they discovered “some” user passwords were being stored unencrypted, but the passwords were not visible to anyone outside of Facebook. Facebook’s definition of “some” doesn’t really illustrate the full magnitude of this event. Regardless, we are still talking about a password breach situation, and hundreds of millions of users are affected.

False Reassurance

Facebook released an official statement declaring, “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

Assuming they follow a Secure Systems Development Lifecycle (SSDLC), this should be core protection built into the system and verified.  That there is no evidence anyone external to Facebook had access to the un-encrypted passwords is not reassuring. Was this a flaw or accepted risk?

More questions than answers

So what went wrong and how could plain-text credentials go undetected since 2012?

As a Facebook user, I wonder why an internal employee would need access to my un-encrypted password. Ultimately, it’s still up to the consumer to govern data shared with services like these. At no time should Facebook’s member passwords ever have been left in clear text.

This won’t be the last of Facebook’s issues.  According to an inside source of Brian Krebs, “Some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.”  This presents even more questions.

The Facebook password incident and others like it continue to highlight the importance of security. It is critical that dev teams work together to ensure events like these are promptly discovered and remediated.  This is also an indicator that the demise of the password has been greatly exaggerated.

What you should do now

Yesterday’s released statement says Facebook estimates it will “notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” about the breach. Even if you were not notified, we recommend you change your password immediately. And in case you reuse the same password across multiple sites, be sure to change and update your credentials on those platforms. Here are some other security tips:

  • Set up 2-factor authentication
  • Sign up to receive alerts about unrecognized Facebook logins
  • Stop reusing passwords across different accounts.
  • Download a password manager.

If Facebook can’t get basic password security right, what other security flaws have yet to be disclosed?


Like this post?

Get our top blog posts delivered to your inbox once a month.