Facebook has confirmed it left millions of user passwords readable by its employees for years, after a security researcher posted about the issue online. The social network says it has since fixed the issue altogether, and it will be notifying users that were affected on an individual basis. The number of users potentially affected by this is in the hundreds of millions, going back as far as 2012. Krebs' source said "between 200 million and 600 million" Facebook users may have had their passwords exposed, and that more than 20,000 Facebook employees would have had access to the passwords.
The scandal-plagued social media giant hastened to assure users that "no passwords were exposed externally and we didn't find any evidence of abuse to date", but their post was cold comfort from the company whose CEO has explicitly called the users who trust him "dumb f***s". Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.
Facebook says it'll notify users affected by this, but it won't require them to change their password as a result of the findings.
An anonymous source reportedly spoke to Krebs on Security about the subject, explaining that the passwords were stored unencrypted - pretty much the single biggest "no-no" in password-based security - as part of recorded logs for some applications. The company wants to encourage small groups of people to carry on encrypted conversations that neither Facebook nor any other outsider can read.
Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world's largest tech companies.
Users at risk of hacking and account takeover attempts such as politicians, activists and journalists can also register a hardware key for Facebook logins, for additional security.
Facebook wrote that it changes the passwords of users, altering plain text into a string of random characters.
Renfro said the company planned to alert Facebook users starting on Thursday, but that no password resets would be required.
Canahuati said the error had been noticed in January but did not say why an announcement had been delayed for more than two months.
If you're not using a password manager - which should be able to create you a strong, unique password (and then help you remember it) - the general guidance is to use a new, unique password that you haven't used on a different site or service.