Yet another Facebook security bungle has emerged, leaving literally millions of user passwords exposed, so, uh, you might wanna change yours.
When a company stores your password, they usually obscure it with encryption using a process called hashing. Essentially, this makes it look like garbled trash to anyone looking at the data but can be encoded by the website in question when entered by the user. In other words, the stored password can be read by the website and not much else, which is how it should be.
As it turns out, Facebook was straight-up storing hundreds of millions of passwords as plain text, leaving them easily visible to thousands of employees who had access. First reported by Krebs on Security, the company has apparently been storing passwords this way for years, with some dating all the way back to 2012.
Facebook confirmed the issue in a recent blog post called Keeping Passwords Secure, saying it has since fixed the issue and assured users that there have been no breaches or abuse of the data at any time. While that may be true, a whopping 20,000 staff members had access to the passwords, 2,000 of which are believed to have searched through them.
The company says passwords were stored this way for “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”. In total, between 200 million and 600 million users are thought to be affected. No matter how you slice it, that’s a bloody lot.
While it’s likely no one outside of Facebook got a hold of any of this data, it’s still a good idea to change your password anyway. Better to be safe than sorry, you know?