When a company asks for your personal information, there’s a reasonable expectation that the private info it collects will be stored securely. There are techniques like “hashing” and “salting” (more on those in a moment) that let companies do essential tests like validating login information without exposing passwords in an easy-to-read-and-maybe-even-steal format. Unfortunately, the latest chapter in the Facebook security issues saga that has been unfolding in slow motion for the last few years exposed hundreds of millions of passwords in plain text format to thousands of internal employees.
The company hasn’t found any evidence of malicious actions. So, the plan, for now, is to notify hundreds of millions of Facebook users that were included so they can change their passwords if they want to.
Passwords are sensitive information, so they’re typically stored using cryptography to obscure their true nature. Hashing is a technique that effectively makes the password info stored by the companies useless if stolen (and means that internally, employees can’t see it, which is a good thing). Salting adds another level of security to the hashing process by adding an extra string of characters to the original password at the beginning of the process. In this case, however, these Facebook passwords were stored in plain text, which means anyone with access to them could read, understand, and even use them if they wanted.
Are you affected by the bug?
Facebook has already released a statement about the problem, but if your specific account was included in the database, you’ll get a notification soon letting you know about it. According to the statement, the bulk of those affected was on the Facebook Lite platform, which is a scaled-down version of the service designed for use in areas where bandwidth is limited. That segment accounts for “hundreds of millions” of compromised accounts, whereas typical Facebook users represent “tens of millions.”
Is this related to any of the other recent Facebook security issues?
While the issue itself isn’t necessarily related to past issues like the Cambridge Analytica scandal, the company reportedly found the issue, at least in part, due to the investigation of another bug that happened last September. If you changed your password as a result of any of those problems, it’s unclear if that is enough to ensure your privacy.
What should you do about it?
Facebook says it’s not imperative to change your password at the moment since there’s no evidence of any wrongdoing, but that could change in the future as the company discovers more information about the bug. For now, we recommend using a password manager to log into your stuff as a best practice. If you’re not willing to make that step, change your Facebook password (and that of any other account for which you used the same password) for now.
What about Instagram?
Unfortunately, a reported Instagram bug may have also exposed some user passwords via the “Download Your Data” tool that the company released to give users access to their photos and information. According to Facebook, the issue only affected a “small number” of users, but if you have downloaded your info from Facebook, changing your password over there is probably a good idea as well.