It is time to change your Facebook password
Facebook seems to be moving from one privacy scandal to another and appears unable to put its house in order. First, there was the Cambridge Analytica revelation, then the admission that they were hacked last year and that up to 50 millions accounts were compromised.
Now they have just revealed that they have been storing between 200 and 600 millions user passwords in plain text for many years, no encryption, no security, which means that their employees would have been able to access them.
The issue was first discovered by KrebsOnSecurity who wrote about it on their website. In an interview with KrebsOnSecurity, Facebook would not confirm how many employee had access to the data nor exactly how many accounts may have been compromised in this latest mishap. They also mentioned that no password resets were necessary as only their employee would have had access to the data.
Unfortunately, I do not agree with that latest statement. The main reason for encrypting passwords is that the internet is not a secure place and, as can be seen by the fact that Facebook admitted to being hacked last year, a hacker could perhaps have seen some of the passwords that were stored in plain text.
This latest issue is another example of why you should never reuse a password across multiple websites. If you do reuse passwords - and criminals know that many people do that - then you are making it very easy for a hacker to access any websites where you have have used the same login information. It is possible that Facebook is correct in stating that, to their knowledge, the plain text passwords were not abused; but isn't it also possible that a dishonest employee might have copied some of the passwords and pass them on or even used them to gain access to your accounts on other websites?
Earlier this year, researchers discovered a huge trove of data that included more than 25 billions records listing user names and passwords. These had been gathered from website that had been hacked over the years. This same data has been accessed by criminals for years using credential stuffing. Credential stuffing is a name for the process of obtaining usernames and passwords from data breaches and testing them against a myriad of other online accounts. A good example of this happening is the case of some Deliveroo customers having their accounts taken over by hackers.
The best protection is to use secure passwords, a different one for every online service you use and store these passwords using a reliable password manager such as Lastpass, Dashlane or Roboform.