Facebook is in the news again for a possible security breach. This time, the company has admitted to leaving hundreds of millions of user passwords exposed in plain text.
The social media giant says these are potential visible to employees, but it doesn’t believe they were exposed to anyone outside of the company.
However, it has notified both Facebook and Instagram users if they could potentially be affected by the security vulnerability.
The Krebs on Security blog was the first to report the issue, putting the number of affected users at between 200-million and 600-million, although Facebook has declined to confirm a number.
The users most affected are those on Facebook Lite, a stripped-down version of the social media site that’s used in countries with slow connection speeds.
Paul Ducklin, senior technologist at Sophos, advises users to consider changing their passwords.
“It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this,” he says. ” But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused.
“Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.
“So our advice is: change your password now.”
He also advises users to turn on two-factor authentication. “We’ve been urging you to do use two-factor authentication everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.
“If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.”
This incident is the latest in a series of security issues that Facebook has been subject to.
John Shier, senior security advisor at Sophos, comments: “Despite the recent public struggles Facebook has had with respect to privacy and security, this incident is a little different.
“Authentication data is something that Facebook treats very seriously and has put in place many mechanisms, both externally and internally, to ensure that user credentials are safeguarded.
“While the details of the incident are still emerging, this is likely an accidental programming error that led to the logging of plain text credentials,” he adds.
“That said, this should never have happened and Facebook needs to ensure that no user credentials or data were compromised as a result of this error. This is also another reminder for people who are still reusing passwords or using weak passwords to change their Facebook password to something strong and unique and to turn on two-factor authentication.”