Millions of Facebook Passwords Left Exposed

Thomas Germain

Updated March 21, 2019 at 6:05 PM

Consumer Reports has no financial relationship with advertisers on this site.

Facebook announced Wednesday in a blog post that passwords belonging to “hundreds of millions” of users were stored unencrypted on the company’s servers, where they could have been accessed improperly by Facebook employees.

The company says it has no evidence the passwords were stolen or misused, and says that they weren’t available to anyone outside the company. The problem was discovered in January, according to the blog post.

“We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” the post said.

That will include “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the post said. Facebook Lite is designed to work over slow data connections.

The new incident doesn’t pose much danger to consumer data, according to privacy experts, but it further erodes consumer trust in Facebook’s privacy and security practices.

“This is far from the first privacy and security incident at Facebook within the last year,” says Justin Brookman, director of consumer privacy and technology policy for Consumer Reports. “Software bugs happen, especially at large institutions like Facebook with so many moving parts, but it’s surprising that an issue of this magnitude slipped through for as long as it did.”

According to reporting by KrebsOnSecurity, a noted source of security news, employees have had access to some passwords since 2012. But Facebook says it did not become aware of the issue until January.

Standard security practices call for passwords to be “hashed” before they’re stored on corporate servers. When passwords are hashed, an algorithm replaces the characters with a random series of letters and numbers, making it difficult for a human to read them. If a password is stored in plain text, as was the case with Facebook, anyone who reads it could use it to gain access to your account.

“It’s good news for consumers that Facebook says none of the data was exploited by bad actors, but this is alarming, especially because many people tend to reuse the same password across different services,” says Bob Richter, who heads Consumer Reports’ privacy and security testing. “Facebook should be doing more to prevent this kind of issue before it happens, and catch it faster when it does."

According to Patrick Jackson, chief technology officer of the data security firm Disconnect, the problem was likely the result of a poorly designed internal logging system. Companies big and small keep a history of all the activity and information being transmitted on their platforms so there’s a trail to follow in the event of a data breach.

Passwords should always be excluded from these data sets to protect users’ privacy, Jackson says. “If you’re collecting data that shouldn’t be captured in the first place and storing it, that’s really problematic,” he says.

Facebook said by email that the passwords were stored inadvertently under various scenarios, for instance in logs generated during computer crashes.

What Steps Should You Take Right Now?

Facebook says it will soon start alerting users whose passwords were stored in plain text. There’s no reason to wait.

If you use Facebook or Instagram, it’s a good idea to change your password. To add another layer of defense, activate two-factor authentication.

Once you turn the feature on, the service will send you a verification code—via text or an app—to confirm your identity anytime you access your account from a new location, device, or browser. That makes it significantly more difficult for someone to break into your account, even if they know your password.

To adjust your Facebook log-in credentials using a computer browser, head to the Privacy Shortcuts page by clicking the question mark icon in the top right corner, and then scroll down to change your password and turn on two-factor authentication. To make the same changes in Instagram, open the mobile app, select Settings, and tap Privacy and Security.

CR’s Richter says it’s better to use an app such as Duo Mobile or Google Authenticator for two-factor authentication instead of text messages. Those options are available in the settings for both Facebook and Instagram.

While you’re at it, introduce some friction for would-be hackers by following our guide to better passwords. One tip to get you started: Steer clear of any passwords you’ve used before.

If you really want to protect yourself, many privacy and security experts recommend using a password manager such as 1Password or LastPass, which will generate unique, random passwords for every service you use, and keep track of them for you.

Once you’ve locked down your log-in credentials, you can take even more control of your data by adjusting your privacy settings on Facebook and Instagram.

Editor's Note: This article has been updated to include additional information from Facebook.

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2019, Consumer Reports, Inc.

Yahoo Sports
Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race
The value of the Dolphins and Formula One racing is enormous.
Yahoo Sports
What scouts think of Bronny James' NBA prospects
The biggest question looming over the NBA draft combine this week: How will Bronny James do?
Yahoo Sports
2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set
With the lottery order set, here's a look at Yahoo Sports' projections for both rounds of the 2024 NBA Draft.
Yahoo Sports
Your favorite WNBA rookies didn’t make the cut. So what’s their path back to the league?
For rookies who were waived, the climb to their pro dreams is steeper, but the path ahead is well-worn with trail markers of established success.
Yahoo Sports
2024 NFL schedule release: Here are the games we know before Wednesday's full announcement
Before Wednesday arrives, football fans got some appetizers as some games were formally announced.
Yahoo Sports
Where does Jared Goff’s $212M extension leave Dak Prescott and Cowboys?
In one scenario, Dallas makes Prescott the highest paid player in NFL history. In another, the Cowboys decline that commitment, at which point another team will make him the top paid player in NFL history.
Yahoo Finance
Utility stocks are on fire — here are Wall Street analysts' top picks
Utility stocks are outperforming the broader markets. Here's a look at three top picks from analysts.
Yahoo Sports
MLB Power Rankings: Phillies lead Dodgers, Braves as trio of NL contenders top this week's list
Here's a look at the rookies who have stood out on each team through the first quarter of the 2024 season.
Yahoo Sports
NFL schedule release: Chiefs to host Ravens in 2024 season opener
Chiefs vs. Ravens on Sept. 5 will be a rematch of last season's AFC Championship Game.
Yahoo Sports
Former MLB infielder, Little League World Series star Sean Burroughs dies at 43
The seven-year major leaguer collapsed while coaching his son's Little League game on Thursday.
Autoblog
Best used cars to buy in 2024: From trucks and SUVs to EVs
The best used cars to buy in 2024 include small and midsize cars, trucks, crossovers and SUVs, and even a couple of used electric cars.
Yahoo Sports
The best RBs for 2024 fantasy football, according to our experts
The Yahoo Fantasy football analysts reveal their first running back rankings for the 2024 NFL season.
Yahoo Finance
Here's 1 big investing mistake you are probably still making
Maybe a 5% CD isn't the best choice for your hard-earned money.
Yahoo Sports
Juan Soto’s unapologetic intensity and showmanship are captivating the Bronx and rubbing off on teammates: ‘Literally every pitch is theater’
The 2024 Yankees have rediscovered their bravado and hold the second-best record in the AL, thanks in large part to the superstar outfielder.
Engadget
The best budgeting apps for 2024
Budgeting apps can help you keep track of your finances, stick to a spending plan and reach your money goals. These are the best budget-tracking apps available right now.
Yahoo Sports
Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'
Murray made a bad night on the court worse during a moment of frustration on the bench.
Yahoo Sports
Architect of PGA-LIV framework agreement resigns in frustration: 'No meaningful progress' toward a deal
Jimmy Dunne cited 'no meaningful progress' being made in negotiations between the PGA Tour and LIV Golf as a reason for his resignation.
Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Lions reportedly sign QB Jared Goff to 4-year, $212 million extension
The Detroit Lions have had a busy offseason, and that continued on Monday with the reported extension of quarterback Jared Goff.
Yahoo Sports
Fantasy Baseball Trade Analyzer: Buy into a pair of Astros sluggers
Fantasy baseball analyst Fred Zinkie offers up his top buy low/high and sell low-high candidates for Week 6.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Millions of Facebook Passwords Left Exposed

What Steps Should You Take Right Now?

Recommended Stories

Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race

What scouts think of Bronny James' NBA prospects

2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set

Your favorite WNBA rookies didn’t make the cut. So what’s their path back to the league?

2024 NFL schedule release: Here are the games we know before Wednesday's full announcement

Where does Jared Goff’s $212M extension leave Dak Prescott and Cowboys?

Utility stocks are on fire — here are Wall Street analysts' top picks

MLB Power Rankings: Phillies lead Dodgers, Braves as trio of NL contenders top this week's list

NFL schedule release: Chiefs to host Ravens in 2024 season opener

Former MLB infielder, Little League World Series star Sean Burroughs dies at 43

Best used cars to buy in 2024: From trucks and SUVs to EVs

The best RBs for 2024 fantasy football, according to our experts

Here's 1 big investing mistake you are probably still making

Juan Soto’s unapologetic intensity and showmanship are captivating the Bronx and rubbing off on teammates: ‘Literally every pitch is theater’

The best budgeting apps for 2024

Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'

Architect of PGA-LIV framework agreement resigns in frustration: 'No meaningful progress' toward a deal

The FDIC change that leaves wealthy bank depositors with less protection

Lions reportedly sign QB Jared Goff to 4-year, $212 million extension

Fantasy Baseball Trade Analyzer: Buy into a pair of Astros sluggers