Facebook issued an important statement about account security from their Newsroom yesterday.
It turns out that the company discovered back in January that “some user passwords were being stored in a readable format within our internal data storage systems.” Hundreds of millions of users may have been affected, though the company wasn’t forthcoming with the exact number of passwords exposed. According to Wired, the company was forced to admit that the passwords were stored in a simple readable format that some Facebook employees could see following a report by the website Krebs on Security.
The company has confirmed that passwords from Facebook, Facebook Lite, and Instagram were exposed on the company’s internal servers. Facebook said it estimates that it will need to notify hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users about the event.
Unlike the massive data breach in September 2018, this has not prompted Facebook to mandate password changes for users. The company instead offered some recommends to users for securing their accounts, including changing passwords (and not reusing old ones). It also suggested that users enable two-factor authentication, set strong and complex passwords, and use a security key.
The latter is highly recommended if you are a prominent figure or have a lot of sensitive data to protect. A security key is a physical device that plugs into the USB drive of a computer. Users can register a device with Facebook, which will use it to confirm their identity when they log in. This means that even if a password is compromised, a hacker would need access to the actual, physical key in order to access an account.
At the moment, there’s no way to know if your account password was among those exposed on the internal server, but it would be wise for all Facebook, Facebook Lite, and Instagram users to update their passwords, just in case.
It’s still unclear why Facebook waited 2 months to inform users of the news. Let’s hope the company is more forthcoming more quickly in the future.