Facebook Stored Millions of Passwords in Plain Text. Here's How to Change Yours
If you're concerned about online security, you may have already reconsidered your relationship with Facebook. The social networking giant has earned a reputation for mishandling users' data and leaving them vulnerable to hacking. Now there's a new reason to reassess your profile: As KrebsOnSecurity reports, Facebook has been storing passwords in plain text since 2012, meaning they were easily readable and searchable for years for those with access to Facebook's internal workings. Any users should change their passwords as soon as possible.
Over the last seven years, between 200 million and 600 million users had their passwords made vulnerable by the security flaw. The passwords were saved in Facebook's internal password management system in plain text that required no decoding to read. According to Facebook, "hundreds of millions of Facebook Lite [its app for low-power-usage devices] users, tens of millions additional Facebook users, and tens of thousands of Instagram users" were affected.
Tech companies normally encrypt the user passwords they store in their databases. Without encryption, anyone who has access to those files can read that sensitive information without facing any barriers. Facebook's security issue left passwords open to up to 20,000 company employees, and according to KrebsOnSecurity, "access logs showed some 2000 engineers or developers made approximately 9 million internal queries for data elements that contained plain-text user passwords."
Facebook claims to have fixed the problem and plans to reach out to every user who was affected. Because there's no sign that the passwords were leaked or mishandled, the company won't require users to change their passwords. But given Facebook's reputation for security, all users should probably change their passwords as a precaution.
To change your Facebook password, go to Settings and then Security and Login. Go to the Change Password option under Login and select Edit. From there, you'll be able to set a new password after entering your current one. Here are some tips for developing a strong password.
[h/t KrebsOnSecurity]