Facebook is one of the most popular social media platforms in the world, with over 2.9 billion monthly active users as of Q4 2021. With so many users trusting Facebook with their personal information, including emails and passwords, data security is a major concern.
There have been rumors circulating that Facebook stores user passwords in plain text rather than encrypting them. If true, this would be a major security flaw that would put billions of accounts at risk. So does Facebook actually store passwords in plain text?
The Claim: Facebook Stores Passwords in Plain Text
The claim that Facebook stores passwords in plain text, meaning unencrypted and easily readable, originated from a 2019 article by cybersecurity expert Brian Krebs. He reported that according to multiple former Facebook employees, the company stored hundreds of millions of user passwords in plain text for years.
This was apparently an intentional design decision to allow Facebook’s thousands of engineers to search user data as needed for troubleshooting and other purposes. The passwords were allegedly accessible by about 2,000 engineers and developers up until around early 2019 when the company changed course and started encrypting them.
If true, this would be a huge security misstep by Facebook that would contradict standard and recommended data security practices. Properly securing passwords requires one-way cryptographic hashing functions like bcrypt, which transform passwords into long alphanumeric strings rather than storing them in their original plain text form.
Facebook’s Response
In response to the Krebs report, Facebook acknowledged that it had stored passwords in plain text for years but denied that thousands of employees could access them. Instead, the company claimed that the passwords were only visible to a small number of internal staff for purposes like routine security checks.
Facebook engineer Scott Renfro wrote in a blog post: “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”
He stated that starting in January 2019, Facebook had been gradually encrypting passwords through a process called “hashing.” By March 2019 when Krebs published his article, Facebook claimed the “vast majority” of passwords were hashed.
The Risks of Plain Text Passwords
Cybersecurity experts widely agree that storing passwords in plain text poses major risks. If an attacker, malicious insider, or careless employee got access to the full password database, they could easily steal usernames and passwords to break into millions of accounts.
Encrypted passwords through cryptographic hashing prevents this by transforming the password into an entirely different string that can’t be mathematically reversed. Even if hackers breach the password database, all they get are useless jumbles of characters rather than the actual passwords.
Some key risks of plain text passwords include:
- Mass account hijacking if the password database is compromised
- Targeted password theft through insider access to the plain text passwords
- Easier password reuse attacks across different accounts and websites
- Weak accountability over internal employee access to passwords
Industry best practices dictate that passwords should always be hashed rather than stored in plain text. There is simply no good technical reason why a company as large and sophisticated as Facebook would choose to leave passwords unencrypted.
The Impact on Users
If Facebook did in fact store hundreds of millions of account passwords unencrypted for years, it represents a massive breach of user trust and privacy. Even if no passwords are known to have been misused, the mere existence of such sensitive data in plain text raises many concerns.
For starters, users likely assumed Facebook was safely encrypting their passwords as any responsible company should. Finding out their password sat in plain text on Facebook’s servers violates that expectation.
Additionally, the risks presented by plain text passwords means users have to worry their accounts weren’t already compromised. While no evidence points to foul play, the possibility can’t be ruled out either.
Users must now also worry about password reuse across other accounts. If their Facebook password wasn’t unique, their email, bank, or other accounts could be vulnerable due to Facebook’s poor security practices.
The one saving grace is that Facebook has reportedly transitioned to encrypting passwords through hashing as of early 2019. But the company’s reputation and users’ trust in its security has undoubtedly taken a major hit from this series of events.
Has Facebook Suffered Data Breaches Before?
While the plain text password controversy is still emerging, it would not be the first time Facebook has come under fire for data security issues.
Here are some other major data breaches and controversies that have plagued Facebook over the years:
- Cambridge Analytica scandal – In 2018, it was revealed that millions of users’ personal data was improperly obtained by political consulting firm Cambridge Analytica through a Facebook app.
- View As bug – A software flaw in 2018 exposed the private photos of up to 6.8 million users to third-party apps.
- OAuth misuse – Facebook suspended tens of thousands of apps in 2019 for misusing OAuth login protocols to obtain excessive user data.
- Celebrity contacts exposed – Private contact info for over 50 million Facebook users, mostly celebrities, was stored in plain text and exposed online in 2019.
Given Facebook’s track record of privacy issues, the plain text password revelation aligns with ongoing concerns about the company’s ability to protect user data.
| Year | Data Breach | Impact |
|---|---|---|
| 2018 | Cambridge Analytica Scandal | Data of 87 million users compromised |
| 2018 | View As Bug | Private photos of 6.8 million users exposed |
| 2019 | OAuth Misuse | Millions of users’ data accessed without authorization |
| 2019 | Celebrity Contacts Exposed | Contact info for 50+ million users leaked |
How Serious is the Plain Text Password Problem?
Facebook storing passwords in plain text for years is undeniably a serious security failure. However, there are a few factors that potentially limit the direct damage to users:
- No evidence so far of malicious password leaks or account breaches
- A limited number of employees had internal access to the passwords
- The company transitioned to encryption starting in 2019
Nonetheless, the decision demonstrates negligence towards security best practices and raises many concerns about Facebook’s priorities.
Even without misuse, the mere presence of plaintext passwords jeopardizes user trust in Facebook’s competence and integrity as a data steward. Users must now deal with uncertainty about whether their accounts were truly secure in the past.
Ultimately the gravity depends on whether more details emerge revealing concrete abuse or breaches. But at face value, this is a serious and inexcusable security anti-pattern by one of the world’s largest technology companies.
Key Takeaways
- Facebook reportedly stored user passwords unencrypted in plaintext for years
- This violates standard security practices and poses risks of password theft
- Facebook claims access was limited and hashing is now used, but doubts linger
- It aligns with Facebook’s past security issues and damages user trust
- The full impact depends if malicious leaks are uncovered
What Should Facebook Do Now?
Now that this security lapse has come to light, Facebook should take proactive steps to mitigate harm, investigate what occurred, and reassure users. Some recommended actions include:
- Force password resets – Make all users reset passwords to invalidate any that were stored in plaintext
- Conduct audits – Thoroughly audit logs and access records to find proof of internal misuse
- Be transparent – Share detailed findings and security roadmaps with users and regulators
- Strengthen controls – Add more access restrictions, monitoring, and encryption safeguards
Facebook will need to demonstrate that it takes privacy and security seriously to rebuild user trust after this incident. A concrete action plan and evidence of improved practices over time will help prove that Facebook learns from its mistakes.
Ongoing scrutiny from media, experts, regulators, and users will also pressure Facebook to enact meaningful change. If it fails to satisfy concerns through audits and new security protocols, it risks further backlash and loss of platform engagement.
Conclusion
Facebook’s reported storage of user passwords in plain text is alarming for a company that serves billions of people worldwide. While the full implications have yet to emerge, it violates basic security standards and raises many questions.
For now, users should proactively reset any passwords shared across sites and closely monitor their accounts and personal data. Facebook must also work diligently to uncover the truth through internal audits, strengthen technical controls, and communicate transparently with all stakeholders.
Only time will tell if more damaging revelations appear or if Facebook can enact meaningful change to its security culture. But this incident highlights an apparent long-term negligence of privacy and ethics from one of tech’s most powerful giants.