Facebook stored hundreds of millions of passwords in Plain Text
March 22, 2019 | Filed Under: SecuritySecurity News
Who do you trust with your data? You probably wouldn’t give out your name, email, phone number and mailing address to a stranger on the street. On the internet, it’s a different story. Most online services we use require extensive personal information; if the want — or need — these websites fulfill is great enough, we will readily hand it over.
This is not necessarily unreasonable. We often assume that huge corporations with large budgets will devote at least a portion of their spending to invest in data security. After all, there are dozens of laws and regulations on the books covering the protection of sensitive personal information and private data, and these tech giants have the both knowledge and resources to abide by them. It seems logical that they’d take some basic precautions to avoid the consequences.
Of course, a budget large enough to seriously address security concerns is also large enough to stave off lawsuits and pay off fines. We are continuously confronted by the fact that many of the largest corporations, holding the personal data of tens of millions, simply do not care about our privacy. This isn’t a matter of failing to patch a service, or forgetting to replace vulnerable software: it’s often failing to do even the bare minimum to protect their customers.
The Latest Offender: Facebook
Just this week, it was reported that Facebook was storing hundreds of millions of user passwords in plain text. This is a mistake so elementary that most coders and web designers with less than year of experience wouldn’t make it — it’s nearly effortless to hash or encrypt this information, and is unquestionably standard procedure.
This could have easily been a disaster. Between users’ habits of reusing passwords for multiple services, third-party websites utilizing Facebook’s Single Sign-On (SSO) login, and the presence of sensitive data in Facebook profiles and conversations, any breach in Facebook security has the potential to be damaging on a global scale. It’s not known whether these passwords were accessed by unauthorized users — Facebook says they weren’t — but it may be worth reconsidering how we give out our data.
Security Measures You Can Take
While we may not have control over how third-parties store our information, there are still a few initiatives you can take to better secure your data.
1. Don’t use the same password for every site.
Don’t even use similar passwords for every site. This can be difficult to handle on your own, so consider employing a password manager to manage your passwords and sensitive data in a secure setting.
2. Change your passwords regularly.
Whether or not you think you’ve been breached, take a few minutes to change your passwords. Security automation tools like CyberSana can be set up to systematically rotate passwords on your privileged accounts. With regular password rotation, should an external data breach compromise an individual’s personal password on your network, your corporate resources won’t be vulnerable to a breach of their own.
3. Be conscientious about what you sign up for and where.
Even “non-secret” information like addresses, phone numbers, and other public records can be sufficient for criminals to impersonate you, recover your passwords by answering “security questions” and cause other sorts of harm. While nobody can be completely invisible, removing yourself from a number of for-profit record aggregator sites can make these sorts of attacks more difficult to carry out. Knowledge is power — don’t give potential adversaries access to your personal data unless absolutely necessary.