Yesterday morning, I received this message on my inbox from Facebook:
It looks like someone may have accessed your Facebook account. To secure your account, you’ll need to answer a few questions and change your password the next time you go to Facebook.
For your protection, no one can see you on Facebook until you secure your account.
The Facebook Security Team.”
Later, I followed the steps provided and reset my password. I then forgot about the issue. Till this morning when I came to learn that millions of Facebook passwords had been exposed.
(Top image courtesy FossBytes).
Now, it’s since emerged that Facebook erroneously stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, an incident has come out to admit.
In a post published online, Pedro Canahuati, the firm’s VP in charge of Engineering, Security and Privacy, said that as the social network’s “routine security review in January,” they found that some user passwords were being stored in a readable format within their internal data storage systems.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” noted Canahuati.
Being among those who’re contacted (or notified), it’s now clear that my password was among those “stored in readable format.”
But in an attempt to allay users’ fears that third parties may have inadvertently accessed their passwords, Canahuati emphasized that: “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.”
In line with security best practices, Canahuati further emphasised in his statement, Facebook masks people’s passwords when they create an account so that no one at the company can see them.
“In security terms, we ‘hash’ and ‘salt’ the passwords, including using a function called ‘scrypt’ as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text,” he added.
However, despite all the assurances from Facebook, one can never take chances and cyber security experts are now adding their voice to the issue, and advising users to change their passwords, just like I did.
Paul Ducklin, a senior technologist at Sophos, said: “Why not? It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this. But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused.”
“Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed. So our advice is: change your password now.”
On whether Facebook account holders need to activate (or turn on) two-factor authentication, something that has also been recommended by Facebook’s Canahuati, Ducklin concured, stating that users need to turn on the security feature ‘now’.
Stated Ducklin: “Yes, turn on two-factor authentication (2FA) now. We’ve been urging you to do use two-factor authentication everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account. If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.”
With some calling on users to deactivate and close their Facebook accounts, Ducklin is of the opinion that this is an individual decision which Sophos ‘can’t answer’ for Facebook’s users.
“We can’t answer that for you. Given that the wrongly-stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account. On the other hand, it’s a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step. In short, you have to decide for yourself. If it helps you decide, we’re not closing our accounts,” he noted in conclusion.
Still weighing in on the latest security incident at Facebook, John Shier, senior security advisor at Sophos, noted that despite the recent public struggles Facebook has had with respect to privacy and security, this incident is a little different.
“Authentication data is something that Facebook treats very seriously and has put in place many mechanisms, both externally and internally, to ensure that user credentials are safeguarded. While the details of the incident are still emerging, this is likely an accidental programming error that led to the logging of plain text credentials. That said, this should never have happened and Facebook needs to ensure that no user credentials or data were compromised as a result of this error,” stated Shier.
Overall, let’s aim to develop strong(er) passwords and activate two-factor authentification for our Facebook accounts. It’s only in this way that we won’t be filled with anxiety the next time such an incident occurs again.