... No plaintext passwords is always the first thing I taught students when they were learning auth. That's a pretty surprising mistake to make it through a huge engineering team.
This is likely a logging problem, not an auth problem. They store passwords as salted hashes for validation purposes. But some http logging doesn't exclude/scrub these request properly so they end up in Elastic. Why would your logs be encrypted?
In fact I expect this is only occurs with change password, not with auth or account creation. Others have been hit with this like that before.
Not to say this isn't terrible and boneheaded, but it's likely not quite as boneheaded as it first sounds.
Based on some of what I remember from the book Accidental Billionaires, Facebook did a lot of stuff that is mind-bogglingly renegade. Bad even for even small startups.
So it probably isn’t “as bad as it sounds”, but Facebook shows up in the news in these ways too often to get much benefit of the doubt.
Yeah, Facebook is one of the most Valley-est of Valley companies as far as "move fast and break things" since they don't care at all about their users. Securing data according to any sort of "need to know" could slow them down so they don't bother.
Full-time web dev; JS lover since 2002; CSS fanatic. #CSSIsAwesome
I try to stay up with new web platform features. Web feature you don't understand? Tell me! I'll write an article!
He/him
Yep, afaict Mark Zuckerberg coined it, and it was a Facebook company motto until around 2014. Though I can't seem to find any original sources from the time, it seems the famous quote is: "Move fast and break things. Unless you are breaking stuff, you are not moving fast enough."
... No plaintext passwords is always the first thing I taught students when they were learning auth. That's a pretty surprising mistake to make it through a huge engineering team.
Double ROT13 just to be sure.
This is likely a logging problem, not an auth problem. They store passwords as salted hashes for validation purposes. But some http logging doesn't exclude/scrub these request properly so they end up in Elastic. Why would your logs be encrypted?
In fact I expect this is only occurs with change password, not with auth or account creation. Others have been hit with this like that before.
Not to say this isn't terrible and boneheaded, but it's likely not quite as boneheaded as it first sounds.
Based on some of what I remember from the book Accidental Billionaires, Facebook did a lot of stuff that is mind-bogglingly renegade. Bad even for even small startups.
So it probably isn’t “as bad as it sounds”, but Facebook shows up in the news in these ways too often to get much benefit of the doubt.
I just read the TechCrunch article, 2,000 engineers had access to these logs. That's mind-blowing to me.
Yeah, Facebook is one of the most Valley-est of Valley companies as far as "move fast and break things" since they don't care at all about their users. Securing data according to any sort of "need to know" could slow them down so they don't bother.
As far as I know they invented “move fast and break things” or are at least synonymous with it.
Yep, afaict Mark Zuckerberg coined it, and it was a Facebook company motto until around 2014. Though I can't seem to find any original sources from the time, it seems the famous quote is: "Move fast and break things. Unless you are breaking stuff, you are not moving fast enough."
(Also: m.xkcd.com/1428/)
There really is an xkcd for everything!