About a month ago, Facebook owned up to a programming blunder that’s been a top-of-the-list coding “no-no” for decades.
The social networking behemoth admitted that it had been logging some passwords in plaintext, saving a record of exactly what your password was, character by character, rather than just keeping a cryptographic hash used for verifying that your password was correct.
Well, it’s just updated its March 2019 admission to state that the number of plaintext passwords found scattered round its systems in various logfiles is greater that originally thought.
Back in March, the damage was said to involve hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users, but yesterday the company updated its bulletin to say:
Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.
Simply put, the chance that your Instagram password was stored somewhere in a logfile, somewhere in Facebook’s network, turns out to be 100 times greater than you might have thought last month.
We didn’t get an alert about either our Instagram or Facebook password having been affected back in March 2019, but we followed our own advice and changed our password anyway, so we’re not worried about this new announcement.
If anyone at Facebook had been able to retrieve our password from somewhere in Facebook’s sea of data – and we suspect they’d have gone directly after all our other data anyway, rather than bothering to log in with our account – then that old password is valueless now.
We’ve also had two-factor authentication (2FA) turned on for ages, and we are in the habit of logging out formally from both Facebook and Instagram, on both our laptop and our mobile phone, on a regular basis.
Regular logouts are mildly annoying, given that we have to log back in using both our password and 2FA code, but we think it’s a small price to pay to make life harder for the crooks.
It also gets us in the habit of checking through the “who logged in from where and on which device” logs regularly, which gives us a better chance of spotting wrongdoing against our account.
So, once again, we’re not panicking, and we’re not advising you to close either your Facebook or your Instagram account – at least, not on this basis alone.
To repeat our advice from last time:
We can’t answer that for you.
Given that the wrongly stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account.
(For what it’s worth, we’re not closing ours.)
Why not?
It’s highly unlikely that any passwords were acquired by any crooks as a result of this, but if any plaintext passwords do end up in the wrong hands, you can be sure that the crooks will try them out right away.
So our advice is: don’t wait for Facebook or Instagram to warn you – change your password now.
(We already changed ours, back in March 2019 when the first warning came out.)
Yes.
We’ve been urging you to do this everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.
(We did it it ages ago.)
Here’s the special edition of Naked Security Live that we presented back in March 2019 – all the advice we give in this video is still relevant, and covers a range of questions, including:
(Watch directly on YouTube if the video won’t play here.)