Yesterday Facebook disclosed during a routine security review they discovered “some” user passwords were being stored unencrypted, but the passwords were not visible to anyone outside of Facebook. Facebook’s definition of “some” doesn’t really illustrate the full magnitude of this event. We are talking hundreds of millions of users that are affected.

False Reassurance

Facebook released an official statement declaring, “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

Assuming they follow a Secure Systems Development Lifecycle (SSDLC), this should be core protection built into the system and verified.  That there is no evidence anyone external to Facebook had access to the un-encrypted passwords is not reassuring. Was this a flaw or accepted risk?

More questions than answers

So what went wrong and how could plain-text credentials go undetected since 2012?

As a Facebook user, I wonder why an internal employee would need access to my un-encrypted password. Ultimately, it’s still up to the consumer to govern data shared with services like these. At no time should the passwords ever have been left in clear text.

This won’t be the last of Facebook’s issues.  According to an inside source of Brian Krebs, “Some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.”  This presents even more questions.

This incident and others like it continue to highlight the importance of security. It is critical that dev teams work together to ensure events like these are promptly discovered and remediated. This is also an indicator that the demise of the password has been greatly exaggerated.

What you should do now

Yesterday’s released statement says Facebook estimates it will “notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Even if you were not notified, we recommend you change your password immediately. And in case you reuse the same password across multiple sites, be sure to change and update your credentials on those platforms. Here are some other security tips:

• Set up 2-factor authentication
• Sign up to receive alerts about unrecognized Facebook logins
• Stop reusing passwords across different accounts.
• Download a password manager.

If Facebook can’t get basic password security right, what other security flaws have yet to be disclosed?

For more information on who Thycotic is and what they can do for you, speak with a Lifeboat Sales Representative.

Posted by Terence Jackson, Chief Information Security Officer (CISO) at Thycotic. Thycotic’s award winning Privilege Access Management solutions limit privileged account risk, implement least privilege policies, control applications, and demonstrate compliance.