Brian Krebs, a leading light in the world of security, has announced that Facebook has been storing up to 600 million user passwords in plain text – some "for years." Facebook has shared a press release acknowledging the incident, indicating that Facebook Lite users will have the highest volume of affected users (in the hundreds of millions), other Facebook users in the tens of millions, and Instagram users in the tens of thousands. The social media giant discovered the incident as part of a routine security review back in January 2019, noting that some user passwords were being stored in a readable format within its internal data storage systems, and that some of its software engineers had searched these passwords.
The messaging coming out of Facebook is that these passwords were inadvertently stored in plain text, only visible to Facebook employees, and that there is no evidence to date that anyone internally abused or improperly accessed them. However, if – as is suspected – Facebook developers and engineers have built applications that logged unencrypted passwords (surely a security policy failure), then these passwords have been clearly visible and at least some people have been aware of this for some time. As such, it is likely to be a breach of GDPR for any passwords exposed for EU citizens.
A German social media company was recently fined €20,000 under GDPR for storing passwords in plain text – a small fine considering that up to 4% of annual turnover was at stake. However, the company reported the breach within the mandatory 72 hours and fully cooperated with its customers and the local supervisory authority, which impacted on the level of the fine. It is unclear whether the relevant supervisory authorities have been informed by Facebook about these exposed passwords – if indeed EU citizens are affected.
Facebook may argue that this was not a security incident because the passwords were only exposed internally but the insider threat is real, and not having evidence of anyone abusing or improperly accessing the passwords doesn't mean it hasn't happened.Also, although not every insider is a threat sloppy or unintentional behavior can result in a security incident. According to Dark Reading's report, How Data Breaches Affect the Enterprise (https://ubm.io/2HioouR), 61% of survey respondents believe that the top cause of major breaches is likely to be end users (insiders) that are negligent or break security policy.
This breach will be excruciatingly uncomfortable for Facebook at a time when consumers do not trust the majority of organizations with their data. Ovum's survey, Digital Consumer Insights 2018: Data Privacy, found that concerns over data privacy have prompted 10% of survey respondents to churn their social media accounts, while a further 20% use services much less. Many consumers are less tolerant of companies that do not respect data privacy or have weak safeguards and, as a result, are changing how they interact with services, with negative results.
All organizations face complex cybersecurity challenges, but for the likes of Facebook, users expect zero security incidents and breaches. While this is pretty much impossible, the impact that this security incident has on Facebook usage remains to be seen.
There is the strong possibility that Facebook is looking to acquire a security technology company to bolster its security credentials. Don't be surprised if this happens sooner rather than later.
Cybersecurity: Impact and Opportunities, INT003-000336 (March 2019)
Digital Consumer Insights 2018: Data Privacy, CES006-000044 (November 2018)
The Insider Threat: Know It and Work with It, INT003-000259 (October 2018)
Maxine Holt, Research Director