Facebook has been mining user data for years. It logs our political stances, relationship histories and even phone records. Recent information suggests that it has been logging something else, too: unencrypted passwords.
As per the recent news, hundreds of millions of passwords have been stored in plain text by Facebook-created applications. This information has been searched by around 2,000 Facebook engineers and has been interrogated on over 9 million occasions.
According to the social media firm’s Vice President of Engineering, Security, and Privacy, Pedro Canahuati, the unencrypted passwords were discovered during a standard security review at the beginning of this year. He went on to say that the firm had addressed the issue and would send precautionary notifications to all affected users.
Canahuati explained that the passwords were never made available to any third parties and that the firm had seen no evidence of their abuse or improper access by Facebook employees. At the time of the press release, Facebook expected to be contacting tens of thousands of Instagram users, tens of millions of regular Facebook users and hundreds of millions of Facebook Lite users.
According to Canahuati, Facebook Lite is a mobile app version that provides Facebook services in low connectivity areas. The app is popular in regions such as the Philippines, Indonesia, India, Mexico and Brazil.
Although Facebook Lite users represent the vast majority of affected individuals, it is clear that other applications were also involved. Canahuati explained that Facebook applications were only supposed to store a mathematical representation of user passwords and not the passwords themselves.
How to protect yourself
If you have any privacy concerns, it may be worth changing your Facebook and Instagram passwords. It is also important to avoid using the same password for multiple accounts. Choose strong, complex passwords for each of your accounts. You may find a password manager app useful.
Facebook offers a number of measures that prevent third parties from using stolen login details. These measures include two-factor authentication and the use of a USB security key. For those who have already had their passwords exposed, however, these authentication models may not be effective.