back to article Let's spin Facebook's Wheel of Misfortune! Clack-clack-clack... clack... You've won '100s of millions of passwords stored in plaintext'

Facebook today admitted it stored "some" of its addicts' account passwords in a plaintext readable format. For "some", read hundreds of millions. The antisocial network quietly made the mea culpa in a statement that followed its breathless announcement of the Oculus Rift S Virtual Reality headset. The password snafu confession …

  1. Anonymous Coward
    Anonymous Coward

    Crap social network made by a man that's full of it can only have crap security for people with crap Internet (since FB Lite is made for them).

    I'm perfectly sure that absolutely nobody at Facebook has copied some credentials. I'd trust Facebook with all my private info since they proved they are trustworthy (sarcasm if it's not obvious).

    1. Anonymous Coward
      Anonymous Coward

      Oh what I could say...

      FB likes to think that they are the leading edge of tech and that their code is da bomb.

      There is so much I could say that I saw and the only thing I could do is roll my eyes and shake my head.

      This doesn't surprise me and they should be sued or fined for this.

      1. Mark 85 Silver badge

        Re: Oh what I could say...

        This doesn't surprise me and they should be sued or fined for this.

        That won't change a thing. They have a) lots of lawyers to ensure that any lawsuit never gets settled and b) the fines would be pocket change for them. Nuke all their data centers from orbit might be the only way to stop them.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oh what I could say...

          Well it's a bomb all right. A bomb that was used to nuke democracy, peace, tolerance...

          1. Anonymous Coward
            Anonymous Coward

            Re: Oh what I could say...

            You think this was accidental? It could have been a hidden feature...

      2. jmch Silver badge

        Re: Oh what I could say...

        "FB likes to think that they are the leading edge of tech and that their code is da bomb"

        My experience is that the larger an organisation gets, the less the average quality of it's developers. Nothing surprising, simply the law of averages at work. Nothing bad either - most projects don't NEED stellar developer gurus, they need competent people working in a well-defined process towards delivering on well-defined requirements.

        Sadly the latter 2 are often lacking, and sadly many developers don't push back against that, which is like an architect / building contractor saying 'sure no probs' to a client request to build a 10-story tower out of play-doh and sand, deliver it in a couple of weeks and then be surprised when it all comes crashing down.

        1. Glen 1 Silver badge

          Re: Oh what I could say...

          Minor point:

          It's the dev's managers that agree (often due to sales/marketing overpromising)

          Any push back is met with JFDI*

          *Just fucking do it.

        2. J27 Bronze badge

          Re: Oh what I could say...

          It's hard to hire a bunch of stellar development gurus and if everyone did that there wouldn't be enough supply.

      3. EVP

        Re: Oh what I could say...

        Brussels, if you are listening, please fine them to oblivion.

        1) If a company as powerful as FB is lets this kind of stuff happen*, no amount of excusing should let them off.

        2) If a company as powerful as FB is does this kind of stuff on purpose, no amount of excusing should let them off.

        Logic clearly dictates that the time has come to impose severe punitive measures against them.

        *My one-eyed and half-paralysed cat knows better than them how to store user passwords.

    2. anothercynic Silver badge

      *SLOW CLAP*

      Another reason to shorten the time of the info I have on said network to two years...

  2. David 45

    Naughty is not the right word.

    Sounds just as ethical as Uber.

    1. Someone Else Silver badge
      Happy

      @David45 -- Re: Naughty is not the right word.

      Sounds just as ethical as Uber.

      Ouch!

    2. EVP

      Re: Naughty is not the right word.

      Compared to FB, Uber goes to sing in a choir on Sundays.

      I think ”nefarious” is the right word.

      1. katrinab Silver badge

        Re: Naughty is not the right word.

        Judging by the number of Über related prosecutions in my local Magistrate's Court every week, I'm not so sure.

    3. zuckzuckgo

      Re: Naughty is not the right word.

      So they could be described as Über-ethical?

      Well at least they have perfected the second half of the "Move Fast and Break Things." mantra.

  3. Kevin McMurtrie Silver badge
    Facepalm

    Why might you need to use HTTP POST even when the request is idempotent?

    It used to be one of my interview questions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why might you need to use HTTP POST even when the request is idempotent?

      I don't know, why might you need to use HTTP POST even when the request is idempotent?

      1. Joeyjoejojrshabado

        Re: Why might you need to use HTTP POST even when the request is idempotent?

        I used to be idempotent but some pills I bought online really helped.

        Now I can GET it up.

        1. Jamie Jones Silver badge
          Happy

          Re: Why might you need to use HTTP POST even when the request is idempotent?

          HTTP based puns? Give it a REST. Yes, PUT a sock in it. In fact, go wash your mouth out with SOAP.

      2. indigomm

        Quality output

        One example I can think of is when you don't know the location the resource will end up on.

        Eg. you are creating a new article. You would use a POST to create the initial article. The server then returns the location where it has created it. For subsequent updates you use PUT with the location.

        1. Anonymous Coward
          Anonymous Coward

          Re: Quality output

          Wouldn't *creating* an initial article make the request *not* idempotent?

          Anon because I don't want to publicly show my ignorance.

          1. Claptrap314 Silver badge

            Re: Quality output

            https://www.merriam-webster.com/dictionary/idempotent

            1. Anonymous Coward
              Anonymous Coward

              Re: Quality output

              Hi, I am previous anon.

              Yeah, I read the definition before posting

              Creating a new article would not be idempotent because trying to create the same article again should cause an 'article already exists' type error to prevent said article from being clobbered (the clobbering would also be a change of state)

              http://restcookbook.com/HTTP%20Methods/idempotency/

              1. indigomm

                Quality output

                Typically you would POST to something like /articles to create a new article. In such a case, repeated POSTs create multiple articles. Adding a unique value for a request (generally called an 'idempotency key') allows you to make it idempotent.

              2. Anonymous Coward
                Anonymous Coward

                Re: Quality output

                No, I am previous anon!

      3. Kevin McMurtrie Silver badge

        Re: Why might you need to use HTTP POST even when the request is idempotent?

        So query parameters containing sensitive information don't go to the access log. Thank you for your time.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why might you need to use HTTP POST even when the request is idempotent?

          What if there's no access log?

        2. franz.ambros

          Re: Why might you need to use HTTP POST even when the request is idempotent?

          What if you log the query parameters in the log? as server owner (endpoint or servers in transit) you can log what you want!

          snakeoil!

    2. Anonymous Coward
      Anonymous Coward

      Re: Why might you need to use HTTP POST even when the request is idempotent?

      Oh you were hoping o get in the crap interviewer hall of fame, along with the ones who ask "if you could be a brand what brand would you be and why"?

      1. zuckzuckgo

        Re: Why might you need to use HTTP POST even when the request is idempotent?

        > "if you could be a brand what brand would you be and why"?

        Russell Brand.

    3. KieranTully

      Re: Why might you need to use HTTP POST even when the request is idempotent?

      I know what the answer is in the context of this article, but I'd have to be a mind-reader to stumble upon that in an interview.

  4. Charlie Clark Silver badge

    GDPR complaint in 3, 2, 1…

    Clear breach, pity this was discovered before California's version of GDPR goes into force as the US courts would allow for nice class action suits.

    1. stevebp

      Re: GDPR complaint in 3, 2, 1…

      Do you think there's a connection here...?

  5. Robert Helpmann?? Silver badge
    Childcatcher

    Pinch Me

    This is the same biz that this month lied about how many teens were using its market-research-slash-surveillance app, and has repeatedly lied in the past, so take the statement with a pinch of salt.

    There's not enough salt in the ocean to help me swallow the FB line.

    1. Maelstorm
      Joke

      Re: Pinch Me

      There's not enough mind altering drugs on this planet to make Facebook look good.

    2. Anonymous Coward
      Anonymous Coward

      Re: Pinch Me

      Market research led by teens? No wonder the world is going to hell.

      As an ex-teenager I remember and still cringe at how stupid I could be, and sometimes still am.

  6. chivo243 Silver badge
    Unhappy

    My definition

    and FB\Zuck's of "abused or improperly accessed" are probably not even in the same book.

  7. Eddy Ito Silver badge
    WTF?

    Since FB had already reached the 9th level of WTF

    How much lower can it realistically go?

    1. chivo243 Silver badge
      Coat

      Re: Since FB had already reached the 9th level of WTF

      my guess is 2, everything goes up to 11! good or bad m'kay.

    2. Someone Else Silver badge
      Coat

      Re: Since FB had already reached the 9th level of WTF

      Ask Herr Drumpf.

    3. VikiAi Silver badge

      Re: Since FB had already reached the 9th level of WTF

      While only 9 levels have been documented. I suspect, like cardinal numbers, there is no end.

      1. Rich 11 Silver badge

        Re: Since FB had already reached the 9th level of WTF

        Let's not bring cardinals into the sleazy WTFery.

    4. Mark 85 Silver badge

      Re: Since FB had already reached the 9th level of WTF

      How much lower can it realistically go?

      Not sure you really want to know. Just when one thinks things are as low as they can go, the elevator drops another floor.

  8. Khaptain Silver badge

    What about insiders

    "We have found no evidence to date that anyone internally abused or improperly accessed them".

    So how do they prove that no-one one the inside had access ?

    Finding no evidence does not mean that the data wasn't obtained, they simply don't know....

    1. LenG

      Re: What about insiders

      Finding no evidence probably means they didn't look for any.

    2. Jamie Jones Silver badge

      Re: What about insiders

      Indeed. And they are also using sneaky tactics to spin the numbers they admit. The linked article includes the following:

      My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

      “The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

      And one commentator to that article writes:

      Facebook’s employees aren’t even employees. They are all contractors — most of whom are overseas. Manila is their largest operation. I think the number of people contracting FIRMS is 4,500.

      [ I've not attempted to fact-check the above 2 quotes ]

      1. veti Silver badge

        Re: What about insiders

        All that means is that the data was very easily available, chucked up in response to some very common back-end queries. It doesn't mean that any of those users were actively trying to get that information or that they did anything improper with it.

        Of course, it does imply that it'd be very hard for FB to find out even if they did. And my bet is, they're currently trying hard not to find out.

    3. JassMan Silver badge
      FAIL

      Re: What about insiders

      "We have found no evidence to date that anyone internally abused or improperly accessed them".

      They should be more worried about internal staff abusing or accessing the data rather than staff internally abusing the data. Are passwords stored in a snortable form, or do they have to print them and chew thoroughly before swallowing.

      More seriously, if they haven't found any staff abusing them because they haven't been looking, how can they be so sure no-one external has opened a backdoor. History shows that they take security so seriously that external companies can access shedloads of supposedly private data without even needing a password.

    4. Kevin Johnston

      Re: What about insiders

      There is a standard phrase around evidence which needs to be stapled to every spokesperson who tries this FUD...

      Absence of Evidence is not Evidence of Absence

  9. Peter X

    Two-factor auth

    It also suggests that two-factor authentication could be used

    Isn't this the same company that has been found to exploituse the number supplied to support 2fa as an extra cross reference in it's database?

    1. doublelayer Silver badge

      Re: Two-factor auth

      Why yes, yes it is. What might you be suggesting? They only did that by mistake, and fixed it. At least, they have seen no evidence to the contrary. That wall they're looking it is really blank.

  10. CountCadaver Bronze badge

    Klarius also storing passwords in plaintext

    Klarius (the exhaust manufacturer) also store their user passwords in plain text, I couldn't remember mine, so clicked the "forgotten password" link and wasn't impressed to then be sent my password in plaintext.

    Tipped off El Reg but obviously not interested....

    1. LDS Silver badge

      Re: Klarius also storing passwords in plaintext

      The password could still be stored with reversible encryption on their servers - which is still not a good idea usually - but I wouldn't bet on it....

    2. Korev Silver badge
      FAIL

      Re: Klarius also storing passwords in plaintext

      Mailman does that too; to make things worse every month it emails you a copy of your password...

  11. real_alias
    Big Brother

    wash. rinse. repeat.

    Privacy and security (ours not yours) are our top priorities. We are sorry (we got caught again) and we are working hard to do better (to avoid getting caught again) in the future.

    1. chivo243 Silver badge
      Devil

      Re: wash. rinse. repeat.

      (to avoid getting caught again) in the mean time we will continue to throw a chunk of our earnings into a high yield savings account, and pay the fine with the interest...

    2. Martin Summers Silver badge

      Re: wash. rinse. repeat.

      Some years ago I tipped off my former boss (whilst I was working for him) that our hallowed Web developer was storing passwords in plain text for our customers website customers and emailed passwords in plaintext as reminders. He wasn't interested either. Our Web developer even lied directly to him in a meeting and said that even Facebook sent out password reminders in plaintext. Or at least I believed he was lying, seems he was half right!

  12. EVP

    It’s time... to go, FB

    It was not accidental. No. Fscking. Way.

  13. fidodogbreath Silver badge

    Facebook is a trash fire

    That is all.

    1. JustWondering

      Re: Facebook is a trash fire

      But look at all the people warming their hands.

      1. TimMaher Bronze badge
        Coat

        Re: Facebook is a trash fire

        And passing round the bottles and the spliffs.

        Mine’s the old, brown, slept in one with the frayed cuffs and piece of string for a belt.

    2. VikiAi Silver badge
      Unhappy

      Re: Facebook is a trash fire

      With a high content of old rubber tires.

    3. CountCadaver Bronze badge

      Re: Facebook is a trash fire

      Seemingly vying with Bethesda (see fallout 76 debacles for starters) for biggest ongoing dumpster fire, not sure if there will be a winner as they both seem to keep stacking more and more onto the bonfire

  14. Anonymous Coward
    Anonymous Coward

    Mr Zuckerberg's password for his social media accounts was dadada until it was leaked in 2016.

    1. fidodogbreath Silver badge

      Mr Zuckerberg's password for his social media accounts was dadada until it was leaked in 2016.

      Meanwhile, Dadada_1 meets Facebook's requirements for a "secure" password: eight characters, upper case, lower case, numeral, and special character....

  15. AK565

    Shit like this makes me glad I havent been on FB for several years. But maybe I'm just not a FB kind of guy. I have very little free time and what little i have i prefer to spend on things like sex with my boyfriend. Am I weird because id rather get laid than go online?

    1. don't you hate it when you lose your account Bronze badge

      Turin test

      Certainly proves your not a Facebook bot

      1. Anonymous Coward
        Anonymous Coward

        Re: Turin test

        The Turin test is when you go to a restaurant with any pretensions to class without booking, and you find out how cool you look by whether or not they have a table free.

  16. SWCD

    "We have found no evidence to date that anyone internally abused.."

    As always, it's in the wording. It's not possible to get evidence that anyone externally abused them.

    1. LDS Silver badge

      For some lawyer defiintion of "internally", also...

  17. big_D Silver badge

    GDPR?

    Facebook said it realized its error in January, during a security review, and discreetly fixed the problem.

    So, they contravened GDPR. Were any European users affected? If so, it could be expensive.

  18. Rudolph Hucker the Third

    That's the least of *our* problems with FaeceBorg:

    Look what people can find when they dig deep enough into how FaeceBorg is getting your personal data, regardless of whether you are a user or not:

    https://privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report

    Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools.

    We found that at least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not. ... apps that automatically transmit data to Facebook share this data together with a unique identifier, the Google advertising ID (AAID). The primary purpose of advertising IDs, such as the Google advertising ID (or Apple’s equivalent, the IDFA) is to allow advertisers to link data about user behavior from different apps and web browsing into a comprehensive profile. If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion

    1. Anonymous Coward
      Anonymous Coward

      If we could design a game where everyone deliberately look at sites they are not interested in this would help disrupt their data. The more obscure and diverse the searches and apps the better.

      1. RancidOrange

        That's definitely going to be my excuse if anyone asks me about some of the dodgy sites I've been on.

  19. MatsSvensson

    Low salt diet

    But how else are they going to know what soda to sell to people who have "cOkELIgHt" as their PW ?!

  20. Tom 7 Silver badge

    FFS Really?

    Twenty years ago I was salting and hashing passwords in the browser to avoid this sort of shit. Security is not an afterthought.

  21. Anonymous Coward
    Anonymous Coward

    Fakebook

    It's been so long since I logged in that I've forgotten my password, please remind me so I can delete myself.

    Anon, of course.

  22. JimmyPage Silver badge
    FAIL

    Sigh, once again (it's about weekly) I ask ...

    Why are there no RFCs or IETF specifications for password handling. Starting with they are never stored in plaintext because they're only ever hashed ????

    Plus a defined secure recovery process.

    Why does every single website feel the need to reinvent the relatively simple job of user authentication ??????

    1. Anonymous Coward
      Anonymous Coward

      Re: Sigh, once again (it's about weekly) I ask ...

      "Why does every single website feel the need to reinvent the relatively simple job of user authentication ??????"

      Santander's website has just 'improved security' of it's login by only asking for a couple of characters of your password. I have complained that this means I now have to WRITE DOWN my password so I can work out which is the 12th and 23th character rather than type it from memory (or, for less used sites, pasting it from KeePass)

      1. _gh_

        Re: Sigh, once again (it's about weekly) I ask ...

        That's the horrible method that HSBC canada used until recently - now they use an even better method where I have to talk to their call centre when I change my phone. Such a joy.

  23. steviebuk Silver badge

    I guess this is why I've never made anything successful

    As even when everything is going to shit, you appear to have to keep at it. With all the money he's got, if I was Zuck, I'd quit now before it all goes tits up and you lose all that money. Although I'm sure he'll have invested money in other areas that can't be touched when Facebook starts going down like MySpace.

    1. Bangem

      Re: I guess this is why I've never made anything successful

      ...but how would Zuck feed his ego if he quit?

      1. Anonymous Coward
        Anonymous Coward

        Re: I guess this is why I've never made anything successful

        Buying the next POTUS.

  24. Anonymous Coward
    Anonymous Coward

    just a couple of questions...

    Firstly, what have the security audit guys been doing for the last 15 years? Yes, you may have given (but probably didn't) the tech guys permission to have access to passwords in plain-text to do their work, but that means security procedures should be in place to prevent leakage and/or misuse. Secondly, why just an advisory message to those affected rather than forcing a password change? Mind you, how do you expect someone to remember it's 'password1234' when they are always logged in to the Borg

  25. DontFeedTheTrolls Silver badge
    WTF?

    "We have found no evidence to date that anyone internally abused or improperly accessed them"

    In what universe would anyone be properly accessing passwords, never mind improperly.

  26. Rich 2 Silver badge

    "We have found no evidence to date that anyone internally abused or improperly accessed them."

    That's not the same as "We LOOKED and we have found no evidence...."

  27. Kubla Cant Silver badge

    Log in with Facebook

    A few years ago I worked on an application that used OAuth. The idea is that instead of doing our own authentication, we delegate it to a trustworthy organisation that maintains a huge database of credentials. It's nice because users don't have to remember lots of usernames and passwords (which possibly also makes it nice for impersonators).

    One of the main authentication suppliers was... Facebook. And the ubiquitous "Log in with Facebook" on web applications suggests that Facebook's involvement in authentication hasn't diminished.

    In the light of this story that looks about as sensible as letting next door's goldfish take the controls of your plane.

    1. Pascal

      Re: Log in with Facebook

      No kidding...

      When we implemented SSO in our applications to let our clients use an external identity provider if they want instead of our internal accounts and credentials management, we immediately started getting requests to add "Log in with Facebook".

      Fortunately I have a veto power over that kind of thing given that we're submitted to some pretty severe security audits and was able to kill off that idea!

  28. Anonymous Coward
    Anonymous Coward

    life imitates dumb movie

    TBH it does look like zuck takes his orders from the security services a bit like that bourn5 jiggly camera fillum except he doesn't have the bottle to stop and he gets lots of cash.

  29. VerySadGeek

    Every time I create an account with Greater Anglia trains they email me my password and username back in plain text.

    I started using passwords like 'Dont send this back in plain text' but they did anyway.

    I complained but I just got an email back telling me how much business they do and how secure their servers are etc.

  30. Jay Lenovo Silver badge
    FAIL

    Fast Times at Silicon High

    Despite publicly stating its intentions to do the opposite, Facebook continues to out-due itself with the next greatest work of stupidity.

    Maybe Zuc has been receiving advise from Nicolás Maduro on how to run a social network?

  31. dnicholas Bronze badge
    Pint

    Sharing is caring

    Facebook is all about sharing everything, including your credentials, it seems.

    Anyways, it's beer o'clock on Friday, time to unplug for the weekend

  32. Anonymous Coward
    Anonymous Coward

    snuff-flick slinger?

    We can all take a reasonably offensive joke and a bit of snark here, but that's really pretty crass.

    Real (and I'm sure perfectly decent) people, with real friends and families who are now mourning them, were horrifically murdered just a few days ago. Have some basic human decency, please. That is not something to try to make light of in any way.

    Yes, it was also horrific that the video was uploaded to Facebook, and yes, it was awful that it took Facebook some time to respond and try to take it down, but it wasn't as if they did that deliberately. There are some things that I'm sure even Facebook would not want to be associated with.

  33. Mahhn

    Zuck-up

    and he hoped to be remembered for something cool.

    In 20 years the only thing people will know about him, is that he's where the term "Zuck-up" came from.

  34. MachDiamond Silver badge

    On the telly

    I just watched a show about bank fraud where one of the perps supplying information worked at a bank. Previously, he'd been sacked for snaffling card info from customers at the pizza place where he worked. The bank's set up allowed a brand new employee the ability to pull up sensitive information and walk out the door with it (or email it or something. I don't remember how he passed it on). I think he got a whole six months or some other pathetic sentence for helping to steal £100k or so.

    Just because "only" FB drones could see the info doesn't mean there isn't any security issue. All it would take is a one of those employees with access dumping the lot to a micro SD card they take out in their shoe. I'm sure 100 million FB logon credentials would be worth a new car or two marketed correctly. So many people use the same L/P for everything that any data set that includes names and other info is worth a stack of high denomination notes that high.

  35. _gh_
    Facepalm

    Oh ffs

    Well scrap the security awareness training. A system in place for years, accessed by devs for that period of time nobody thought to question the presence of passwords when their security policy probably makes sharing passwords a disciplinary offence,

    It's probably there because once upon a time someone wanted to be able to see the problems specific users were complaining about and no-one could be arsed to write a properly audit trailed time limited token (at some point someone does need to see what the complaint is about and most companies are averse to screen sharing (though that's getting better).

    It probably also means that all the 2FA defences have a bypass in place for users within their campuses - what could possibly go wrong - 200 million IDs & passwords - clear text probably only 1GB all zipped up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019