Krebs said as many as 600 million users could be affected — about one-fifth of the company’s 2.7 billion users, but Facebook has yet to confirm the figure.
👉 Full story on TechCrunch
Mind boggling
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (27)
... No plaintext passwords is always the first thing I taught students when they were learning auth. That's a pretty surprising mistake to make it through a huge engineering team.
This is likely a logging problem, not an auth problem. They store passwords as salted hashes for validation purposes. But some http logging doesn't exclude/scrub these request properly so they end up in Elastic. Why would your logs be encrypted?
In fact I expect this is only occurs with change password, not with auth or account creation. Others have been hit with this like that before.
Not to say this isn't terrible and boneheaded, but it's likely not quite as boneheaded as it first sounds.
Based on some of what I remember from the book Accidental Billionaires, Facebook did a lot of stuff that is mind-bogglingly renegade. Bad even for even small startups.
So it probably isn’t “as bad as it sounds”, but Facebook shows up in the news in these ways too often to get much benefit of the doubt.
I just read the TechCrunch article, 2,000 engineers had access to these logs. That's mind-blowing to me.
Yeah, Facebook is one of the most Valley-est of Valley companies as far as "move fast and break things" since they don't care at all about their users. Securing data according to any sort of "need to know" could slow them down so they don't bother.
As far as I know they invented “move fast and break things” or are at least synonymous with it.
Yep, afaict Mark Zuckerberg coined it, and it was a Facebook company motto until around 2014. Though I can't seem to find any original sources from the time, it seems the famous quote is: "Move fast and break things. Unless you are breaking stuff, you are not moving fast enough."
(Also: m.xkcd.com/1428/)
There really is an xkcd for everything!
Double ROT13 just to be sure.
Hence the benefit to use a Password Manager.
I should definitely write a blog post about it and how I managed to remove the hassle about password managers, multi OS (Windows, MacOs, Linux) and the mobiles (iOS, Android) and syncing all of that as simply as doing nothing (all done automatically after a first configuration). :-)
All of that on Open Source softwares and only on my devices (backup on a NAS or RaspberryPi).
Would love to read that. What software do you use? 👀
Actually, I wrote a post about setting up your own Dropbox and Evernote like using a Raspberry Pi and Open Source Software.
You can find it here :
Do you care about your privacy? Maybe it is time to set up your own Dropbox.
Rémi Lavedrine
Enjoy and tell me if you find it useful.
Whats the benefit if the generated password is in their log ?
The benefit of using random generated passwords is that only the password for Facebook has leaked, which cannot be used to get access to any other place online.
Since the leak is known now and most likely addressed by Facebook ASAP, the only thing you have to do is to generate a new password for Facebook, and Facebook only. No need to hunt down all places online where you may or may not have recycled the same old
password123.Another good auth practice is using Two-Factor-Authentication when offered by a website. Such is the case with Facebook. So even a leaked Facebook password doesn't mean that your account is compromised right away when you make use of that.
Oh ! Didnt think of that ! Thanks for the explanation :)
A very useful website that you can use is :
haveibeenpwned.com/
You can try your email address against it and then know if your email address has been part of a data breach.
It is a website from Troy Hunt which a speaker and security professionnal. I encourage you to have a look at his website as well if you're interested in Security in general.
troyhunt.com/
Hmm, somebody was just telling me how OAuth with Facebook was secure somehow.
It's not surprising. Facebook has zero interest in user privacy or user rights.
All this stuff is totally on-brand for them but it’s still to wild to be true.
Aaaaand that's what happens when you don't take security seriously no matter what your scale is. Sure you can get better with time but the problem that I see often is that security is the first thing that flies out the window. Now their problem was not taking care of this and run with it for too long. We all make mistakes but this got a bit out of hand.
Makes me feel like a pro developer...😅
To read some more elaborate opinions on the matter.
news.ycombinator.com/item?id=19453359
Would it help if we start encrypting our passwords upon sign up? 🤣
You could hash it using the domain's name.
I got logged out from FB recently after 2 days of using it 😂😂. I can't log into my account anymore and I'm not attend to do so. R.I.P my account LOL!
t.me/theprogrammersclub
And I thought it can't get any worse with Facebook 🤪
But it seems that Facebook is full of surprises!
@ben you too, cross check the dev.to password algorithm.