Facebook admits harvesting hundreds of millions of Facebook, Instagram and Email passwords in Plain Text

Facebook says it stored hundreds of millions of user account passwords in plain text in their internal systems and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. But Facebook also says that an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook CEO Mark Zuckerberg; Image Source:

Facebook is a popular free social networking website that allows registered users to create profiles, upload photos and video, send messages and keep in touch with friends, family and colleagues. It is available in 37 different languages including public features like groups, events, pages etc.

Founded by Mark Zuckerberg, along with fellow Harvard College students and roommates Eduardo SaverinAndrew McCollumDustin Moskovitz and Chris Hughes. It is considered one of the Big Four technology companies along with AmazonApple, and Google. To enter Facebook community, it is necessary to register with some certain general information along with a password, which is used during login process.

Registration and Login form of Facebook; Image Source:

Facebook password is very crucial thing. By knowing ones Facebook password, it is possible to hack their account and steal all the information. That’s why for security purpose, it masks people’s passwords when they create an account so that no one at the company can see them.

In security terms, according to a blog, they ‘hash’ and ‘salt’ the passwords, including using a function called “scrypt” as well as a cryptographic key. What all these procedures do is, it replace the actual password with a random set of characters so that it becomes unreadable.

Despite of having all these security backups, recently Facebook confirmed in a blog post, prompted by a report by cyber security reporter Brian Krebs, that it stored “hundreds of millions” of account passwords in plaintext for years. Krebs said the bug dated back to 2012. Facebook faced a series of security failures for which some applications accepted non-encrypted password data for Facebook users and stored it in plain text on internal company servers.

According to a senior Facebook employee who is familiar with the investigation said to KrebsOnSecurity that, the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.

This issue was discovered in January, said Facebook’s Pedro Canahuati, as part of a routine security review. None of the passwords were visible to anyone outside Facebook, he said.

This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have found no evidence to date that anyone internally abused or improperly accessed them.

Pedro Canahuati

Facebook assured that it will notify hundreds of millions of Facebook Lite users, a lighter version of Facebook for users where internet speeds are slow and bandwidth is expensive, and tens of millions of other Facebook users about this incident.

Facebook asking for Email password in the name of verifying Email address; Image Source:

Not only passwords, Facebook has admitted to accessing and storing the email contacts of as many as 1.5 million of its users without their consent. Email verification is a standard practice for online services.

Usually, when you sign up to a new service you’re asked to provide an email address. In that email address you then receive an email with a link in it that you have to manually click in order to verify that the email account belongs to you. But Facebook handled it a bit differently.

What Facebook did was to have users verify that they owned an email account by handing over their password to Facebook. “To continue using Facebook, you’ll need to confirm your email address” read the page asking for a user’s email password.

But Facebook assured that these contacts had never been shared with anyone, and that the company is now deleting the contacts that were uploaded.

Facebook sending message to its user about password issue; Image Source:

The company previously said that it would reach out to the millions of Facebook users whose passwords were stored in plain text. Now, it will have to contact users whose email lists were snagged. Also millions of Instagram users, as well as Facebook stored millions of Instagram passwords in plain text too besides email and Facebook passwords.

Featured Image Source:


Leave a Reply

Your email address will not be published. Required fields are marked *