DEV Community

Ben Halpern
Ben Halpern Subscriber

Posted on

Facebook stored hundreds of millions of passwords in plaintext

Krebs said as many as 600 million users could be affected — about one-fifth of the company’s 2.7 billion users, but Facebook has yet to confirm the figure.

👉 Full story on TechCrunch

Mind boggling

Top comments (27)

Collapse
 
aspittel profile image
Ali Spittel

... No plaintext passwords is always the first thing I taught students when they were learning auth. That's a pretty surprising mistake to make it through a huge engineering team.

Collapse
 
simonhaisz profile image
simonhaisz

This is likely a logging problem, not an auth problem. They store passwords as salted hashes for validation purposes. But some http logging doesn't exclude/scrub these request properly so they end up in Elastic. Why would your logs be encrypted?

In fact I expect this is only occurs with change password, not with auth or account creation. Others have been hit with this like that before.

Not to say this isn't terrible and boneheaded, but it's likely not quite as boneheaded as it first sounds.

Collapse
 
ben profile image
Ben Halpern

Based on some of what I remember from the book Accidental Billionaires, Facebook did a lot of stuff that is mind-bogglingly renegade. Bad even for even small startups.

So it probably isn’t “as bad as it sounds”, but Facebook shows up in the news in these ways too often to get much benefit of the doubt.

Thread Thread
 
aspittel profile image
Ali Spittel

I just read the TechCrunch article, 2,000 engineers had access to these logs. That's mind-blowing to me.

Thread Thread
 
simonhaisz profile image
simonhaisz

Yeah, Facebook is one of the most Valley-est of Valley companies as far as "move fast and break things" since they don't care at all about their users. Securing data according to any sort of "need to know" could slow them down so they don't bother.

Thread Thread
 
ben profile image
Ben Halpern

As far as I know they invented “move fast and break things” or are at least synonymous with it.

Thread Thread
 
kenbellows profile image
Ken Bellows

Yep, afaict Mark Zuckerberg coined it, and it was a Facebook company motto until around 2014. Though I can't seem to find any original sources from the time, it seems the famous quote is: "Move fast and break things. Unless you are breaking stuff, you are not moving fast enough."

(Also: m.xkcd.com/1428/)

Thread Thread
 
simonhaisz profile image
simonhaisz

There really is an xkcd for everything!

Collapse
 
elmuerte profile image
Michiel Hendriks

Double ROT13 just to be sure.

Collapse
 
shostarsson profile image
Rémi Lavedrine

Hence the benefit to use a Password Manager.
I should definitely write a blog post about it and how I managed to remove the hassle about password managers, multi OS (Windows, MacOs, Linux) and the mobiles (iOS, Android) and syncing all of that as simply as doing nothing (all done automatically after a first configuration). :-)
All of that on Open Source softwares and only on my devices (backup on a NAS or RaspberryPi).

Collapse
 
mustardsauce profile image
Jakub N

Would love to read that. What software do you use? 👀

Collapse
 
shostarsson profile image
Rémi Lavedrine

Actually, I wrote a post about setting up your own Dropbox and Evernote like using a Raspberry Pi and Open Source Software.
You can find it here :


Enjoy and tell me if you find it useful.
Collapse
 
__shadz_ profile image
Chardenal Matthieu

Whats the benefit if the generated password is in their log ?

Collapse
 
tiguchi profile image
Thomas Werner

The benefit of using random generated passwords is that only the password for Facebook has leaked, which cannot be used to get access to any other place online.
Since the leak is known now and most likely addressed by Facebook ASAP, the only thing you have to do is to generate a new password for Facebook, and Facebook only. No need to hunt down all places online where you may or may not have recycled the same old password123.

Another good auth practice is using Two-Factor-Authentication when offered by a website. Such is the case with Facebook. So even a leaked Facebook password doesn't mean that your account is compromised right away when you make use of that.

Thread Thread
 
__shadz_ profile image
Chardenal Matthieu

Oh ! Didnt think of that ! Thanks for the explanation :)

Thread Thread
 
shostarsson profile image
Rémi Lavedrine

A very useful website that you can use is :
haveibeenpwned.com/

You can try your email address against it and then know if your email address has been part of a data breach.

It is a website from Troy Hunt which a speaker and security professionnal. I encourage you to have a look at his website as well if you're interested in Security in general.
troyhunt.com/

Collapse
 
mortoray profile image
edA‑qa mort‑ora‑y

Hmm, somebody was just telling me how OAuth with Facebook was secure somehow.

It's not surprising. Facebook has zero interest in user privacy or user rights.

Collapse
 
ben profile image
Ben Halpern

All this stuff is totally on-brand for them but it’s still to wild to be true.

Collapse
 
gabrielecimato profile image
Gabriele Cimato

Aaaaand that's what happens when you don't take security seriously no matter what your scale is. Sure you can get better with time but the problem that I see often is that security is the first thing that flies out the window. Now their problem was not taking care of this and run with it for too long. We all make mistakes but this got a bit out of hand.

Collapse
 
devusman profile image
Usman Suleiman

Makes me feel like a pro developer...😅

Collapse
 
guico33 profile image
guico33 • Edited

To read some more elaborate opinions on the matter.

news.ycombinator.com/item?id=19453359

Collapse
 
brburzon profile image
Brandon Burzon

Would it help if we start encrypting our passwords upon sign up? 🤣

Collapse
 
drbearhands profile image
DrBearhands

You could hash it using the domain's name.

Collapse
 
yogeswaran79 profile image
Yogeswaran

I got logged out from FB recently after 2 days of using it 😂😂. I can't log into my account anymore and I'm not attend to do so. R.I.P my account LOL!

t.me/theprogrammersclub

Collapse
 
vladimirwrites profile image
Vladimir Jovanović

And I thought it can't get any worse with Facebook 🤪
But it seems that Facebook is full of surprises!

Collapse
 
10secondsofcode profile image
Elango Sundar • Edited

@ben you too, cross check the dev.to password algorithm.