KrebsOnSecurity has reached a long-term employee of Facebook. He agreed to talk to the journalists, provided he remained anonymous. According to the source, an internal investigation showed that passwords for accounts of between 200 million and up to 600 million users were stored on the company's servers as plain text. In response, Facebook made an official statement that during a routine security check carried out in January this year, it turned out that some user passwords are stored on servers in an unencrypted form. The company ensures that the problem has already been resolved and those whose passwords were visible will be notified immediately.
The anonymous source mentioned above claims that the oldest found archives with unsecured user data were dated to 2012, which would mean that the procedure has been going on for at least seven years. More than 20,000 Facebook employees have access to the database, out of which, according to the log analysis, approximately 2,000 engineers and programmers made a total of 9 million queries about data fragments containing unsecured passwords.
Scott Renfro, software engineer at Facebook, ensures in an interview for KrebsOnSecurity that an internal investigation does not indicate that any employee deliberately searched for sensitive data in the database - nor is there any sign of its unauthorized use by anyone. The company will not require a change of passwords if there are no appropriate reasons for it, and those do not exist for the time being. In an official statement, however, Facebook encourages you to change your password and use the two-stage verification system - just in case. Renfro does not comment on details of the information obtained from the anonymous employee, pointing out that the company is not yet ready to provide official figures.
This is not Facebook's first privacy-related blooper in recent times. Last December, journalists from the New York Times discovered that the service sold user data to third parties without the users' knowledge.