Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response
Facebook Password, Email Contact Mishandling WorsensMillions of Instagram Users Affected by Plain-Text Password Storage
Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network.
In mid-March the social network disclosed that it had been storing plain-text passwords for hundreds of millions of users going back to 2012 (see: Report: Facebook Stored Millions of Passwords in Plaintext).
The passwords were searchable, but not improperly accessed, by Facebook employees, the company wrote in a March 21 blog post. Security writer Brian Krebs first reported on the situation.
In an update to that post on Thursday, Facebook writes: "We discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users."
Facebook plans to notify those newly affected users. It was first thought the issue only affected tens of thousands of Instagram users.
Email Contacts Issue Affects 1.5 Million
The second issue involves Facebook's former practice of asking some new users for their email passwords as part of its signup process, which Business Insider reported on April 3.
The practice, which was intended to help people find their friends, immediately raised eyebrows because it could increase the chances that an email account could be compromised, through either a mishandling of data or phishing attacks.
It was first highlighted by Twitter user @originalesushi and appeared to only apply to people who signed up using email domains from certain providers, such as Yandex and GMX, Business Insider reported.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l— e-sushi (@originalesushi) 31 March 2019
Facebook told Information Security Media Group on Thursday that it "unintentionally" uploaded the email contact lists for 1.5 million new users since May 2016. If users didn't enter the password, they couldn't create accounts. But if they did, users were not notified their email contacts would be sent to Facebook.
Before May 2016, Facebook asked some users for their email password as part of an identity check, but gave people the option if they wanted to upload their email contacts, Business Insider reports.
Facebook says it will delete the email contacts data for the 1.5 million users. The email contacts data was used for targeted advertising, friend recommendations and building webs of connections, Business Insider reported.
Facebook ended the email password verification practice earlier this month (see Dark Patterns: How Weaponized Usability Hurts Users).
Plain-Text Password Storage
Krebs' report on March 21, which was sourced to an anonymous senior Facebook employee, described how plain-text passwords had been stored for hundreds of millions of users going back to 2012.
The password storage issue affected users of Facebook Lite, the slimmed down version of the application that's designed for users where connectivity may be challenging.
Facebook didn't give a reason why it was storing passwords in plain text. It explained that it follows industry practices for handling passwords, which means it's only retaining a salted hash, or a cryptographic representation of a password that would be unusable if captured by an attacker.
"In line with security best practices, Facebook masks people's passwords when they create an account so that no one at the company can see them," the social media company says. "In security terms, we 'hash' and 'salt' the passwords, including using a function called 'scrypt' as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters."
Facebook isn't mandating a password reset for accounts, but in its March 21 blog post did advise how users could change passwords and advised users to set a unique, strong one.
The security issues add to more headwinds for Facebook, which despite a series of scandals, data breaches, lawsuits and regulatory inquiries is nonetheless trying to convince the public it is shifting to a more privacy-centric platform.
Early last month, Mark Zuckerberg acknowledged the suspicion around the move given the social network's patchy security record.
"I understand that many people don't think Facebook can or would even want to build this kind of privacy-focused platform - because frankly we don't currently have a strong reputation for building privacy protective services, and we've historically focused on tools for more open sharing," Zuckerberg writes.
Looming large is an ongoing investigation by the Federal Trade Commission into the Cambridge Analytica scandal and whether Facebook violated a 2011 settlement. The settlement put Facebook on a monitoring regime aimed to ensuring users' consent was gained before sharing their data (see: Report: Federal Trade Commission Weighs Facebook Fine).
The Washington Post reported on Thursday that the FTC may be mulling whether to hold CEO Mark Zuckerberg more accountable for the site's data handling mishaps, a move that could send a strong signal about executive responsibility for data lapses.