Facebook Employees Had Access to Millions of User Passwords - NBC 7 San Diego

Facebook Employees Had Access to Millions of User Passwords

The company released a statement Thursday saying it would be notifying those affected in the near future



    5 Falltacular Ways to Connect With Your Family
    Justin Sullivan/Getty Images, File
    This May 1, 2018, file photo shows Facebook CEO Mark Zuckerberg speak during the F8 Facebook Developers conference in San Jose, California.

    What to Know

    • The company released a statement Thursday saying it would be notifying those affected in the near future

    • The incident may have affected between 200 million and 600 million customers and has been ongoing since 2012

    Facebook stored up to 600 million user account passwords without encryption and viewable as plain text to tens of thousands of company employees, according to a report Thursday by cybersecurity journalist Brian Krebs.

    Facebook confirmed the report in a blog post. Facebook shares were down less than 1 percent Thursday. The Irish Data Protection Commission, which administers the European Union’s General Data Protection Regulation, or GDPR, also said Thursday that Facebook had reached out over the issue: “We are currently seeking further information,” the commission said in a statement.

    The 600 million users represents a significant portion of Facebook’s user base of 2.7 billion people. The company said Thursday it planned to start notifying those affected so they could change their passwords.

    “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Facebook said in a statement. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”

    Facebook’s blog post did not say how many users were affected.

    The incidents date back to as early as 2012, according to the report. A Facebook software engineer named Scott Renfro was quoted by Krebs as saying the company hasn’t found any misuse of the data in question and that “there was no actual risk that’s come from this.”

    Facebook, however, has been under intense scrutiny due to several years of privacy and security scandals that have earned the company criticism from customers and inquiries and fines from several regulatory agencies, particularly in the European Union.

    But Facebook’s scandals haven’t significantly dented the company’s count of active daily users, which rose last quarter despite an extended social media campaign by Facebook critics encouraging privacy minded customers to delete their accounts.

    Scrutiny to Come From Global Regulators
    This incident will undoubtedly trigger reviews by Ireland’s Data Protection Commissioner, which administer’s the EU’s new General Data Protection Regulation, or GDPR.

    GDPR rules both allow for a 72-hour notification window for those affected by a privacy breach, and demand companies store passwords securely. The law is somewhat ambiguous as to how to precisely define “appropriate levels of security,” but it is likely the Commission would consider plain text passwords that are stored internally and accessible to large numbers of employees as struggling to meet those standards.

    Key Moments From Zuckerberg’s Testimony

    [NATL] Key Moments From Zuckerberg’s Testimony

    Facebook CEO Mark Zuckerberg spent over four hours answering questions from Congress on issues regarding privacy, hate speech and the company’s role in elections. Here are some key moments from the hearing.

    (Published Monday, Dec. 17, 2018)

    If the incident did stretch back as far as 2012, the company may also need to do a great deal of investigating into how those passwords may have been misused. Though Facebook stated in its blog post they have “found no evidence to date that anyone internally abused or improperly accessed them,” it will be difficult for the company to pinpoint whether or how someone with internal access was able to misuse a password once they were outside the company.

    This story first appeared on CNBC.com. Get more at CNBC:

    RAW: Zuckerberg Says Political Ads Will Be Transparent

    [NATL-BAY] RAW: Zuckerberg Says Political Ads Will Be Transparent

    Facebook CEO Mark Zuckerberg said at Facebook's F8 developer conference Tuesday that political ads on Facebook will now be transparent and will require ad purchaser's government identification.

    (Published Tuesday, May 1, 2018)