Hundreds of millions of Facebook users had their account passwords visible in plain text to the platform’s employees, potentially creating security vulnerabilities on third-party sites that use the same passwords, cybersecurity experts have warned.

Between 200 million and 600 million Facebook users had their passwords searchable by some 20,000 of Facebook’s staff dating back as far as 2012, according to an investigation by independent cybersecurity journalist Brian Krebs.

Facebook acknowledged the password mishap but wouldn’t go into detail about the number of affected users, or for how long the plain text passwords were visible to employees.

Businesses such as Facebook are normally expected to protect user passwords by making them unreadable using hash, a cryptographic technique that replaces the plain text password with a random set of characters linked to it.

In a statement, Facebook VP of engineering, security and privacy Pedro Canahuati said that the passwords were never visible to anyone outside of the social media firm.

“We have found no evidence to date that anyone internally abused or improperly accessed them,” said Canauati.

Facebook password error – the latest scandal

But that hasn’t stopped the cybersecurity community from criticising the social media giant for its latest privacy blunder.

“The poor cybersecurity practices at Facebook continues in spite of the fact that it is trying hard to persuade users that it is prioritising privacy as a fundamental value,” said Joseph Carson, chief security scientist at cybersecurity firm Thycotic.

“These continued cyber incidents occurring at Facebook demonstrate that user privacy is not a priority and continue to expose users to serious threats from cyberattacks, given the number of breaches it has experienced in recent years.”

In September last year, Facebook suffered a breach in which the profiles of up to 50 million users were exposed. The latest privacy scandal is a blow to the scandal-ridden company’s recent commitment to develop a “privacy-focused” social network.

“Storing passwords in plain text at any stage in a company’s history could spell disaster but it certainly isn’t what the public would expect from one of the largest tech firms in the world,” said Jake Moore, cybersecurity specialist at threat detection firm ESET.

Use a password manager

Both Moore and Carson advised users to change their passwords, pointing out that many users use the same passwords across multiple websites, as well as using their Facebook account to log in to third-party websites, potentially creating an extra security vulnerability.

3 Things That Will Change the World Today

“The majority of users continue to use bad password hygiene such as re-using passwords for all credentials and accounts which means Facebook employees not only have the password in plain text for users’ Facebook accounts, but potentially also their bank account, their online health data and other highly sensitive data,” said Carson.

“Many people sign in to numerous other applications using their Facebook credentials which can increase the security problems,” added Moore.

Instead of reusing the same password across accounts, users should use a password manager to store and create passwords, both the cybersecurity experts advised.

Facebook recommends users change their password and said that it will be notifying everyone whose password may have been visible to its staff.


Read more: Could a blockchain Facebook alternative ever catch on?