Today, Krebs on Security has revealed that Facebook was storing between 200 and 600 million Facebook users passwords in plain text, going back to as early as 2012. While Facebook claims to have found no indication that the passwords were abused, an insider speaking to Krebs on Security claims around 2,000 developers made around 9 million queries against the logs, returning data which contained these plain text passwords.
An anonymous source reportedly spoke to Krebs on Security about the subject, explaining that the passwords were stored unencrypted — pretty much the single biggest "no-no" in password-based security — as part of recorded logs for some applications. The precise number of affected users hasn't been determined, but this is estimated to affect between 200 and 600 million accounts going back to at least 2012, according to the company's archives. The source stated that Facebook will be trying to push its own estimates of these numbers as low as possible in later statements by intentionally choosing to only count against certain sources of data.
Scott Renfro, a software engineer at Facebook, told Krebs on Security that the company would not be pushing password resets to mitigate its security problems. "In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse."
Facebook reportedly first spotted its long-standing security failure in January, though it's taken at least the last two months to be made public.
Presumably, in response to Krebs' report, Facebook has issued a statement about general password security earlier today, explaining in the abstract that there has been a breach, but without providing the level of detail on the subject included in Krebs' coverage. Most of the post talks about improvements individual users can make to their accounts to enhance their own security, seemingly overlooking that they had nothing to do with this particular problem.
If Facebook can't even take password security seriously, how can it ever hope to convince users it can understand the mere meaning of the word "privacy."
Alternate title: Facebook does literally the one thing you're never supposed to do with passwords, doesn't notice for years, hides it for months, then brushes it under the rug.