Facebook has been in the news a lot lately and it has not been positive for them. Just after Mark Zuckerberg recently announced that he plans for Facebook to become focused on encryption, privacy, and security, Facebook has revealed that they might have had an internal security breach that could affect Facebook and Instagram users.
The Social Media tech titan admitted that up to 600 million passwords were stored in plain text on its internal servers after security expert Brian Krebs revealed this on his blog. The Data Protection Commission has said they have been contacted by Facebook and that they are seeking further information as this might come under GDPR jurisdiction.
If you have a Facebook or Instagram account what should you do? According to Paul Ducklin, senior technologist, Sophos you should change your password. “It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this. But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused. Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.”
Paul also recommends turning on two-factor authentication. ” We’ve been urging you to use two-factor authentication everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account. If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in”.
John Shier, senior security advisor at Sophos comments:
“Despite the recent public struggles Facebook has had with respect to privacy and security, this incident is a little different. Authentication data is something that Facebook treats very seriously and has put in place many mechanisms, both externally and internally, to ensure that user credentials are safeguarded. While the details of the incident are still emerging, this is likely an accidental programming error that led to the logging of plain text credentials. That said, this should never have happened and Facebook needs to ensure that no user credentials or data were compromised as a result of this error. This is also another reminder for people who are still reusing passwords or using weak passwords to change their Facebook password to something strong and unique and to turn on 2-factor authentication.”