Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
Facebook is a criminal enterprise that needs to be broken up into its constituent parts sooner rather than later.
Thom Holwerda,
A bit harsh given that osnews just recently went through it’s own security ordeals with remote database access vulnerabilities that existed for who knows how long, Sure the security expectations may be higher for huge corporations, but Just sayin’, let he who is without sin cast the first stone!
Sounds like a case of some junior engineer not understanding that you’re not supposed to log SPI without masking.
Alfman, I agree with your comments 99.9% of the time, but in this case I believe that it is completely reasonable to have far higher security expectations towards a top-ten market cap company than towards OSAlert, also taking into account the difference of several orders of magnitude between the business model and the amount of personal data collected and processed by Facebook vs the data processed by OSAlert.
Yes, Facebook should be held to higher standards, but in this case, they didn’t do anything deliberately “criminal”, it was just an oversight on the logging part of the system.
It doesn’t have to be deliberate to be a crime, criminal negligence is a thing. They were arguably very negligent in their storage of private information.At the very least heads should roll in the responsible department, for not implementing measures to prevent and detect data leaks of this nature.
winter skies,
Ironically in my case osnews holds more data on me than facebook, haha.
I do sympathize with osnews. In my line of work I’m expected to keep systems secure even though clients have no budget for it. It’s frustrating when I can’t deliver the quality I’d like due to budgeting, but what do you do about it? I once had a client who needed a lot of website repairs, and I did a good job for him, but then he refused to pay so I had to roll everything back and I learned an unfortunate lesson: you can’t deliver quality to a client who doesn’t value it themselves. While there’s obviously a lot that can go wrong under the hood, that doesn’t necessarily show on the surface and many clients don’t show any appreciation for anything other than what’s showing on the surface.
Huge multinational corporations have fewer excuses for security lapses, but I’m not aware if “criminal law” actually makes any kind of distinction based on a company’s magnitude? If we were to pass laws making companies criminally negligent over security vulnerabilities (which I assume Thom is in favor of), then I think that most small businesses would be equally guilty. It would only be a matter of time before the IT equivalent to “ambulance chasers” would crop up to make a quick buck suing company after company in court, which is something to think about.
For me, the main point is not the size of the organization, but the fact that its sole purpose for existing is to accumulate as much information as it can about as many people as possible. If that is your [i]raison d’être[/i] (cf. credit bureaus, etc.), then you should be held to a much higher standard.
I think its fundamentally wrong to assume that a bunch of smaller companies would be any better at doing security or privacy better. These security issues in particular are from 2010 or so when face book was much smaller. Oh, and there were much worse privacy violations even before that. Being able to look at any users personal details, including ex romantic partners, etc used to be touted as a perk of the job… It was a stalker’s paradise. From what I’ve heard the internal controls are better now.
I think fundamentally what needs to happen here is regulation that requires external third party audits. Making facebook might be good for other reasons, but I think in general we need third party verification of its privacy and security practices.
Bill Shooter of Bul,
Yeah, it sounds like the passwords got logged along with other data. It would be ironic if these logs were themselves the product of increased security audits. “Hey, we need to log the traffic on these pages for security auditing purposes”.
I’d start with the “Login with facebook” 3rd party login, which is an inherently dangerous feature IMHO. I strongly dislike facebook having keys to user accounts on so many 3rd party websites.
Facebook should be split in at least three companies: Facebook, WhatsApp and Instagram.
The most absurd thing I’ve heard in the past few days is that Instagram will allow one to purchase products. It’s a complete nonsense, given that the purpose of Instagram is to share photos, not buy clothes, shoes or jewelry…