Facebook Left Hundreds of Millions of Passwords Exposed to Its Employees

Security data from several of the company’s products may have been stored as plain text.

Ting Shen/Xinhua via ZUMA

Let our journalists help you make sense of the noise: Subscribe to the Mother Jones Daily newsletter and get a recap of news that matters.

Facebook stored hundreds of millions of its users’ passwords in a “readable format” according to the company, leaving them exposed to employees with access to the internal files.

The company disclosed the incident in a post on its public relations portal. Facebook’s description of plans to notify affected users suggest the scale of the security breach, which included “hundreds of millions of Facebook Lite users,” referring to a stripped down version of its app offered in countries with less broadband access, as well as “tens of millions of other Facebook users, and tens of thousands of Instagram users.”

Facebook explained that it usually masks passwords to prevent employees from being able to access them internally. “In security terms, we ‘hash’ and ‘salt” the passwords, including using a function called ‘scrypt’ as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters,” the company detailed in its post. “With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.”

While the company did not explicitly admit to keeping the files in plain text, Brian Krebs of Krebs on Security, who broke the news of the exposed passwords, reported the files had been exposed in easily readable, plain text, inside a searchable database to which thousands of its employees had access.

Facebook claims it has not yet found any examples of the password database being abused by its employees, or evidence that passwords had been obtained by anyone outside the company. In its post, the company advised users against using the same password on different services, while suggesting users may want to change Facebook and Instagram passwords.

The security gaffe comes days after Facebook CEO Mark Zuckerberg announced a new pivot to privacy at the company, laying out a 3,000 word plan for a new “privacy-focused vision.”


Headshot of Editor in Chief of Mother Jones, Clara Jeffery

It sure feels that way to me, and here at Mother Jones, we’ve been thinking a lot about what journalism needs to do differently, and how we can have the biggest impact.

We kept coming back to one word: corruption. Democracy and the rule of law being undermined by those with wealth and power for their own gain. So we're launching an ambitious Mother Jones Corruption Project to do deep, time-intensive reporting on systemic corruption, and asking the MoJo community to help crowdfund it.

We aim to hire, build a team, and give them the time and space needed to understand how we got here and how we might get out. We want to dig into the forces and decisions that have allowed massive conflicts of interest, influence peddling, and win-at-all-costs politics to flourish.

It's unlike anything we've done, and we have seed funding to get started, but we're looking to raise $500,000 from readers by July when we'll be making key budgeting decisions—and the more resources we have by then, the deeper we can dig. If our plan sounds good to you, please help kickstart it with a tax-deductible donation today.

Thanks for reading—whether or not you can pitch in today, or ever, I'm glad you're with us.

Signed by Clara Jeffery

Clara Jeffery, Editor-in-Chief

payment methods

We Recommend