Facebook exposed up to 600 million user passwords to its employees

Per a report from Krebs on Security on March 21, Facebook has — yet again — found a way to mishandle its users' data. This time around, it appears that Facebook incorrectly stored user passwords and made them exposed to thousands of employees.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

It's estimated that between 200 million and 600 million users had their passwords exposed, dating as far back as to ones created in 2012. During this time, over 20,000 employees at Facebook could search for and find the passwords without a problem.

Facebook says it'll notify users affected by this, but it won't require them to change their password as a result of the findings.

Speaking to Krebs on Security, Facebook Software Engineer, Scott Renfro, said:

We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this. We want to make sure we're reserving those steps and only force a password change in cases where there's definitely been signs of abuse

Even if none of the passwords were used for malicious purposes, it's incredible that stuff like this keeps happening with Facebook. We've heard the company talk about how it values its users' privacy/security, but when stories like this continue to pop up, those reassurances mean less and less.