Facebook is facing scrutiny once again today by disclosing that it accidentally stores “hundreds of millions” user passwords in plaintext. To make matters worse, 20,000 Facebook employees had access to view these passwords. Instagram users are also impacted by this massive oversight.
There are so many things wrong here.
In the day and age, obviously no company or organization should be storing user passwords in plaintext and most companies should not even store passwords in a reversible format. 20,000 employees should never have access to a database of passwords, even if they are hashed or encrypted. Only a handful of admins should have access to that data.
This is not only a privacy risk, it is a profound security risk.
If this data is leaked to the internet or dark web, there will be a ripple effect of this security incident that impacts far more than just Facebook and Instagram.
Not only are Facebook and Instagram users at risk for account takeover on their own Facebook and Instagram accounts, but their other accounts may be at risk as well due to password reuse.
Further complicating the issue is Facebook Connect.
Facebook Connect allows users to log into other sites using their Facebook credentials. Now all of those accounts are also at risk. For a corporate standpoint, any company that offers Facebook Connect for their users to login, should also disclose this security incident to their users as well.
What can other organizations do in light of this massive password security incident?
Because of these types of security incidents that have a ripple effect on other sites, we highly encourage any organization that has online account access to simply screen for compromised credentials. It is a remarkably simple way to better protect your users without adding more friction for them to access their account.
*** This is a Security Bloggers Network syndicated blog from Blog – Enzoic authored by Kristen Wilson. Read the original post at: https://www.enzoic.com/facebook-password-security-incident/