Facebook plays fast and loose with your privacy. They’re also irresponsible with your security! There’s one rule when it comes to storing customer passwords on your servers: don’t. Access to a user’s account should only be through their password. That password should be the key to unlocking their data through salting and hashing, that is, scrambling the data and sprinkling in fake data to make the original data even harder to decode. For the basis of understanding what happened here, you don’t need to understand encryption. You just have to understand that when something is encrypted, it’s unreadable and secure. When it’s not, it’s what we call “plain text,” and it’s insecure.
Facebook stored user passwords. On top of that, they didn’t even store them in an encrypted format. Any Facebook employee could read your password.
That makes this the most heinous breaches of consumer trust. To be this horribly insecure, Facebook had to make a conscious decision to be insecure. They had to choose to do this to us. On top of that, they discovered this months ago, in January, and only just told us.
To recap:
- Facebook broke the first rule of passwords: they stored them.
- Facebook broke that rule in the worst possible way: they stored them unencrypted.
- All Facebook employees could see those passwords.
- Facebook decided not to tell us, which put all of their consumers at risk for harassment, identity theft, and actual theft for months.
Simply put, this is not a company you should trust with anything let alone your personal information, photos, GPS locations, or random memes.
Go change your Facebook password and any similar passwords.
To quote Mark Zuckerberg on Facebook,
ZUCK: people just submitted it
ZUCK: i don’t know why
ZUCK: they “trust me”
ZUCK: dumb fucks
Sources:
- Zac Hall, 9to5Mac