Incident Of The Week: Facebook Fails To Secure Passwords

Details of the data breach and 12 ways to protect yourself

On March 21, 2019, cyber security writer Brian Krebs reported in his KrebsOnSecurity blog that hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases dating back to 2012.

According to an anonymous Facebook source, the investigation so far indicates between 200 million and 600 million users may have had their account passwords store in plain text and searchable by more than 20,000 employees. The insider also told Krebs that access logs showed some 2,000 engineers or developers made approximately 9 million internal queries for data elements that contained plain text user passwords.

See Related: “2018 Cyber Breaches Review: Facebook Tops The List

The issue with storing passwords in plain text and unencrypted is that it leaves the passwords wide open to cyber attacks or potential employee abuse. A better cyber security practice would have been to keep the passwords in a scrambled format that is indecipherable.

 “The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro, said, “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

See Related: “Facebook Exposes Photos Of 6.8 Million Users In Second Data Breach Since September

A written statement from Facebook, it said the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.

How Facebook Is Taking Action

“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them. There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” according to the statement.

Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

“This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening,” Renfro said. “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data.”

This data breach comes on the heels of The New York Times report last week, that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest technology companies.

Earlier in March, Facebook came under fire from security and privacy experts for using phone numbers provided for security reasons — like two-factor authentication — for other things (like marketing, advertising and making users searchable by their phone numbers across the social network’s different platforms).

However, according to Facebook, it is taking the necessary steps needed to protect passwords. The company outlines that:

In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them. In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.

We use a variety of signals to detect suspicious activity. For example, even if a password is entered correctly, we will treat it differently if we detect that it is being entered from an unrecognized device or from an unusual location. When we see a suspicious login attempt, we’ll ask an additional verification question to prove that the person is the real account owner.

People can also sign up to receive alerts about unrecognized logins.

Knowing some people reuse passwords across different services, we keep a close eye on data breach announcements from other organizations and publicly posted databases of stolen credentials. We check if stolen email and password combinations match the same credentials being used on Facebook. If we find a match, we’ll notify you next time you login and guide you through changing your password.

To minimize the reliance on passwords, we introduced the ability to register a physical security key to your account, so the next time you log in you’ll simply tap a small hardware device that goes in the USB drive of your computer. This measure is particularly critical for high-risk users including journalists, activists, political campaigns and public figures.

Password Tips To Protect The Enterprise

While there are steps the enterprise can take to create a strong cyber security posture, humans and their passwords are a daily battle that most companies are losing every day. After all, we are creatures of habit and it’s very common for us to use the same passwords across devices (whether personal or professional). And so, here are a few important tips from CS Hub Advisory Board member and CISO Rebecca Wynn, that can help you create a strong password (at home or in the office):

  1. Create a password that is not less than 10 characters and preferably 16 characters. Having a long password is often the best strategy to make it difficult for the hackers or algorithms to crack it. A long string of characters will make it challenging to guess the password for most programs that use a random combination of characters.

  2. Avoid using a common phrase, your name, nickname or address. Many passwords in the list include common words, which are easily hackable using dictionary attacks. Other information such as your name, your pet’s name, DOB and street address might be easy for you to remember but is a piece of cake for hackers to crack your password. Best advice, don’t use them!

  3. Use a mix of alphanumeric characters, numbers and special characters (symbols). One of the best ways to create a strong password is to use a mix of case-sensitive alphanumeric characters along with symbols. While it may be difficult to remember, there’s one easy way you can remember it. To create a password that is strong and yet easy to remember, use acronyms. Replace letters with their corresponding uppercase and similar special characters. For example, white lilies can be converted to “Wh1t3L%l&3$”.

  4. Abbreviate a sentence. Come up with a sentence and pick the first or last letter of each word to form a password. Mix it with special characters to make it even stronger. For example, I hate being hacked all the time! Considering the last letter of each word, the password becomes – Ih3bgHd4tt!

  5. Always use a unique password, never repeat. Never EVER use a password for more than one account, application or service. Always use a unique password. If one of your online services gets hacked, the hacker will try to use the hacked password for your other accounts. Never use the same passwords and just add a 1, 2, 3, etc., at the end.

  6. Use two-factor authentication. Although not foolproof, a two-factor authentication adds another layer of security to your online account. You can use dedicated authentication apps or enable the code over SMS feature, which most websites offer today. Enabling this functionality might not guarantee 100% security, but is far better than relying on one single password.

  7. NEVER store passwords in your browser. Storing a password in a browser can be hacked. Those can be hacked in many ways. Also, some websites offer to save your address, credit card details, and so on, for convenience. If you accept that offer, you've put your personal data at risk. Who knows if the site is storing your details securely? Equifax didn't!

  8. Consider using a password manager. Using a password manager and using its ability to create complex passwords for you is an easy way to create unique passwords. Make sure your generated passwords are at least 10 and preferably 16 or more characters long; all too many products default to a shorter length.

  9. Change your passwords. Change your non-email and financial passwords at least annually. It is very easy to do using a password manager and having it generate very long and complex passwords.

  10. Implement an account lockout policy. When available always use account lockout. It should initiate after a pre-defined number of failed attempts such as 3 or 5.

  11. Notification of account change. When available have an email sent to you or SMS message sent when your account has been change e.g. new password set, or account has been accessed.

  12. Notification of last time account was accessed. When available have your account always show you the last time it was accessed. Request that feature be added to any account, application or service that doesn't currently have it.

See Related: “Celebrate International Data Privacy Day 2019 With This Expert Advice