Facebook has admitted its latest security breach left millions of users’ passwords unprotected and vulnerable to hackers.
Security reporter Brian Krebs initially uncovered the company’s data protection failures on Thursday, revealing up to 600 million Facebook passwords had been stored in plain text.
Usually when a company stores passwords it protects them with an encryption to make them impossible for outsiders to read.
Mr Krebs said Facebook’s security glitch meant passwords dating back as early as 2012 were easily readable by more than 20,000 Facebook employees.
Facebook issued a statement on Thursday saying it has resolved the data breach and that it would notify everyone whose passwords were stored without protection.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the statement reads.
The company said the issue was discovered in January as part of a routine security review.
Most of the passwords left unprotected belonged to users of Facebook Lite, a version of the social media network made for people in regions with poor internet connection.
The latest security breach follows a troubled period for Facebook, which has faced widespread criticism over its handling and protection of user data.
In September last year, the company confessed a security flaw had exposed private information on 50 million users.
Earlier in 2018, it revealed that data on millions of users had been harvested without their knowledge by data analytics company Cambridge Analytica.
CQUniversity Australia engineering and technology lecturer Dr Jahan Hassan said Facebook’s latest glitch exposed users to a “high risk” of someone stealing their password to log into their personal accounts.
“Someone might have a complicated password, but if Facebook is storing it in plain text then someone can easily log in to their account and post whatever they want,” Dr Hassan said.
“If the password ends up in bad hands, they can find out very personal information and anything can happen.”
What can you do to help protect your passwords?
University of Melbourne cyber security researcher Suelette Dreyfus warned too many people used the same or similar passwords to access different social networking sites or online platforms.
“The big problem you’ve got when you have a security incident like this is, it’s not just the security risk to that particular account – it’s that that particular account may also be a key into other parts of their life,” Dr Dreyfus said.
“It could be used for their Gmail account, Twitter account, or it could go into the deep, dark abyss of their online financial banking institutions.”
The cyber security expert recommended people change their exposed passwords and update any re-used ones so they’re all unique.
“We’re all human and not that good at remembering complicated pins and passwords,” Dr Dreyfus said.
“It’s a good idea to get a password manager, which helps you choose and store a unique and secure password for each site.”