Facebook is facing scrutiny once again today by disclosing that it accidentally stores “hundreds of millions” user passwords in plaintext. To make matters worse, 20,000 Facebook employees had access to view these passwords. Instagram users are also impacted by this massive oversight.
There are so many things wrong here.
In the day and age, obviously no company or organization should be storing user passwords in plaintext and most companies should not even store passwords in a reversible format. 20,000 employees should never have access to a database of passwords, even if they are hashed or encrypted. Only a handful of admins should have access to that data.
This is not only a privacy risk, it is a profound security risk.
If this data is leaked to the internet or dark web, there will be a ripple effect of this security incident that impacts far more than just Facebook and Instagram.
Not only are Facebook and Instagram users at risk for account takeover on their own Facebook and Instagram accounts, but their other accounts may be at risk as well due to password reuse.
Further complicating the issue is Facebook Connect.
Facebook Connect allows users to log into other sites using their Facebook credentials. Now all of those accounts are also at risk. From a corporate standpoint, any company that offers Facebook Connect for their users to login, should also disclose this security incident to their users as well.
What can other organizations do in light of this massive password security incident?
Because of security incidents and data breaches that have a ripple effect on other sites, we encourage any organizations to simply screen for compromised credentials when users/customers login into their account. It is a remarkably simple way to protect your users without adding more friction to the customer experience.