Facebook Users' Passwords Stored in a Readable Format - Secure Your Account
As part of a routine security review in January, Facebook found that some user passwords were being stored in a readable format within Facebook internal data storage systems. This caught Facebook attention because Facebook login systems are designed to mask passwords using techniques that make them unreadable. Facebook have fixed these issues and as a precaution, Facebook will be notifying everyone whose passwords Facebook have found were stored in this way. To be clear, these passwords were never visible to anyone outside of Facebook and Facebook have found no evidence to date that anyone internally abused or improperly accessed them. Facebook estimate that Facebook will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
In the course of Facebook review, Facebook has been looking at the ways Facebook store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them. There is nothing more important to Facebook than protecting people’s information, and Facebook will continue making improvements as part of Facebook ongoing security efforts at Facebook.
How Facebook Protect People’s Passwords
In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them. In security terms, Facebook “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets Facebook irreversibly replace your actual password with a random set of characters. With this technique, Facebook can validate that a person is logging in with the correct password without actually having to store the password in plain text.
Because Facebook knows that people may share, reuse or have their passwords stolen, we’ve built security measures to help protect people’s accounts:
We use a variety of signals to detect suspicious activity. For example, even if a password is entered correctly, Facebook will treat it differently if Facebook detects that it is being entered from an unrecognized device or from an unusual location. When Facebook see a suspicious login attempt, we’ll ask an additional verification question to prove that the person is the real account owner.
People can also sign up to receive alerts about unrecognized logins.
Knowing some people reuse passwords across different services, Facebook keeps a close eye on data breach announcements from other organizations and publicly posted databases of stolen credentials. Facebook check if stolen email and password combinations match the same credentials being used on Facebook. If Facebook finds a match, we’ll notify you next time you login and guide you through changing your password.
To minimize the reliance on passwords, Facebook introduced the ability to register a physical security key to your account, so the next time you log in you’ll simply tap a small hardware device that goes in the USB drive of your computer. This measure is particularly critical for high-risk users including journalists, activists, political campaigns and public figures.
Securing Your Account
While no passwords were exposed externally and Facebook didn’t find any evidence of abuse to date, here are some steps you can take to keep your account secure:
You can change your password in your settings on Facebook and Instagram. Avoid reusing passwords across different services.
Pick strong and complex passwords for all your accounts. Password manager apps can help.
Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, Facebook will ask for a security code or to tap your security key to verify that it is you.
For more information on how to keep your Facebook account secure, please visit facebook.com/about/security.
Check the comment section for additional information, or share what you know or ask a question about this article, by clicking the 'View or Write Comment' button below.
Note: Some of the information in samples on this website may have been impersonated or spoofed.