IT. SECURITY. OPEN SOURCE.

Category: Social Media

Facebook Exposes Millions of Passwords in Clear Text

Facebook has been under the spot light for quite some time now for its poor security and privacy practices. With this latest privacy blunder, its obvious that the company has not learned from its past. Last week it was uncovered that the company is storing passwords in clear text. This not only affects Facebook users, but InstaGram users too. It was not revealed as to why these passwords were stored in clear text, however what is known is that it affects millions of the company’s users.

In a Facebook blog post by Pedro Canahuati, VP Engineering, Security and Privacy mentioned that the company uncovered the error in January during a routine security review. Canahuati also stated that these clear text passwords were only viewed by those who worked for the company.

At least LinkedIn has your back… Oh nevermind.

Let’s not forget the many security breaches which affected passwords in the past. LinkedIn in 2012 had millions of passwords stolen from the company by hackers. In the breach, the passwords had been hashed, but with a low grade hashing algorithm. At least in LinkedIn’s case we can say the passwords were somewhat protected. In Facebook’s instance, they did not even bother to encrypt the passwords. If the passwords were ever stolen we would see another Yahoo! breach in the making.

Protecting Yourself Online

Canahuati did not mention in his post how to remedy the issue other than to say that the passwords are hashed and salted when an account is created. I would still suggest that everyone change their passwords anyway along with activating multifactor authentication for their account. This way even if someone were to have the password, they would not have the secret token generated by a smart app or hardware token like YubiKey. This also includes those who have InstaGram accounts as well since they were also affected.

One cannot trust the privacy and security that a service provider offers. We must take it upon ourselves to better protect our online identities from mishaps of the services we use. By using password managers to ensure we do not reuse the same password between services to ensuring multifactor authentication is used on every service that offers it is the only way to protect ourselves.

The Need for Better Transparency In Data Breaches

We hear of new data breaches almost everyday, so many that we have reached the pinnacle of “breach fatigue.” A feeling where consumers are tired of hearing about theft of personal information due to carelessness on part of a company. From Equifax, Yahoo!, to Cambridge Analytica, our personal, sensitive information is out on the public internet. Poor cyber security practices is just one of the main issues of data theft among organizations. The second is how companies respond after a breach occurred.

Google is now part of a long standing problem we see today and that is hiding information from consumers with regards to a data breach. This latest breach affecting the Google+ platform, exposed half a million user records through a flaw in their API. A flaw in which the company knew about since 2015. To make matters worse, Google knew of the breach in March of 2018 and yet it did not disclose this information until October 8.This is not the first time a company failed to disclose a data breach. Yahoo! was fined $35 million for not disclosing its breach which occurred in 2014. Why was there such a delay in the announcement and why do law makers allow this to continue?

The U.S. does not have a federal law which protects consumer privacy. This need for protection has been left up to the states to enact privacy laws, which most states have done. However, more oversight is needed to ensure better transparency between companies and consumers. Without additional oversight, this unfortunate practice of withholding breach information will only continue.

So what is next for Google? The typical, “…the implementation of better privacy and security protections.” We have heard this story before. The surprising action is that Google is now shutting down Google+ for good. Google+ could have been a great platform though the market is saturated with social networking sites. Hopefully Google will make true to their word and congress will have a wake up call.

For more information on Google’s breach head over to the Wall Street Journal – Google Exposed User Data, Feared Repercussions of Disclosing to Public.

© Copyright 2020 – Jason Brown