PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Facebook Stored Up to 600M User Passwords in Plain Text

Facebook engineers built applications that stored unencrypted passwords on internal servers which could be searched by over 20,000 employees.

Matthew Humphries
 & Matthew Humphries Former Senior Editor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

It looks as though Facebook is in hot water once again today as it has been revealed up to 600 million Facebook users had their passwords stored in plain text on the social network's internal servers as far back as 2012.

As KrebsonSecurity reports, a Facebook source who asked for anonymity confirmed that between 200 and 600 million users had their passwords stored free of encryption on the company's servers. The data was being collected by a number of applications, leaving them available to view in plain text. The internal servers are accessible by over 20,000 employees, meaning any of them could have searched the list and potentially abused the data.

Facebook is thought to be carrying out an internal investigation to see how this managed to happen. What's of most concern is around 2,000 Facebook engineers are thought to have queried the password data over nine million times.

Scott Renfro, an engineer at Facebook, has confirmed to Krebs that Facebook users will be informed of what happened today, but that, "We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data." Before that happens, Facebook has been looking to see which, if any of the passwords have, "signs of abuse" because it's only those users that will need to be told to change their password. As it currently stands, no resets are expected to be necessary.

Facebook has known about the plain text passwords since January when a review carried out by security engineers noticed the passwords being logged. A task force was then created to review the situation and an investigation carried out so as to instigate, "long-term infrastructure changes to prevent this going forward."

A written statement from Facebook sent to Krebs states that notifications will be sent to, "hundreds of millions of Facebook light users, tens of millions of other Facebook users, and tens of thousands of Instagram users."

About Our Expert

Matthew Humphries

Matthew Humphries

Former Senior Editor

My Experience

I started working at PCMag in November 2016, covering all areas of technology and video game news. Before that I spent nearly 15 years working at Geek.com as a writer and editor. I also spent the first six years after leaving university as a professional game designer working with Disney, Games Workshop, 20th Century Fox, and Vivendi.

I hold two degrees: a Bachelor's degree in Computer Science and a Master's degree in Games Development. My first book, Make Your Own Pixel Art, is available from all good book shops.

My Areas of Expertise

  • PC components and system building
  • Raspberry Pi
  • Software development
  • Storage technology
  • Video games and gaming hardware

Read the latest from Matthew Humphries

Read full bio