I can just imagine some horn-heavy upbeat heist music playing in the background. Photo: Drew Angerer/Getty
About a month ago, we learned that Facebook had given employees access to user passwords. Facebook was storing passwords in plain text, the biggest sin in data security. Employees had unfettered access to these passwords, and could have shared, leaked, or sold them to anyone. Over 20,000 employees had access to those passwords.
If you didn’t do it then, you should change you password immediately.
When it was originally published, Facebook did not say how many Instagram users—if any—were affected. In fact, they said they would reach out to the users affected. They may not have done this. In fact, a month later, timed perfectly to the Mueller report release to reduce the impact of the story, Facebook edited an old post, rather than make a new one, to say how many users were affected.
Millions.
Millions of passwords on the dark web and even on Facebook. That’s in addition to the hundreds of millions of Facebook users who were previously impacted.
Facebook’s not only dishonest and sneaky, they’re also dangerously careless with user privacy and security.
The Sheer Dishonesty
We’ve discussed Facebook’s dishonest behavior before. The company allows hate speech, spreads violence, and has directly lead to many attacks and hate crimes, including the genocide of the Rohingya people.
But atop all of that is the dishonesty within Facebook. They don’t protect users, they selectively enforce rules, and they don’t even protect their own employees. They then lie about all of that.
Update vs New Post
What’s wrong with updating an old post instead of posting a new one? It’s dishonest. When a large story breaks and I have to issue a correct to it later, I update the story as well. However, if it’s a large falsehood, I make a new post, link the old one, and explain what happened. Fortunately, I’ve never had to go that far.
When you post a new post, people see it on Facebook, Twitter, Tumblr, their RSS readers, Apple News, Google News, Microsoft News, and anywhere else they consume the news. But when an old story is simply updated, they don’t get these notifications. They may never know the story was updated, facts changed, or information clarified. That’s why Facebook’s decision to update a post that was already a month old is preposterously dishonest.
It’s Mueller Time
The Mueller Report was released last week. It had damning evidence that Trump is nowhere near as innocent as his Attorney General William Barr claimed. Instead, it seemed to suggest that congress must investigate (impeach) the president. This is huge news that will shape America’s democracy moving forward.
Which means it was the perfect time for Facebook to slip out some bad news about itself. Facebook is obligated to disclose security flaws, or they could risk fines and investigations. So they chose to release this detail through an update on a day that everyone else is paying attention to far more important news and questions. Will the leader of the United States face impeachment, as the report suggests, or will congress ignore the findings? That’s far more important news than Facebook’s leak, and they figured the news would be ignored.
Unfortunately for Facebook, there are blogs that are dedicated to tech news, not political or world news, who will report on these stories.
Millions of users were exposed by Facebook in an obviously insecure method. Storing plaintext passwords is such a forbidden thing that every programmer worth their salt (and certainly Facebook’s six-figure salaries) would have known not to do it. Facebook was hiding their shame and minimizing it.
Source: Patrick Howell O’Neill, Gizmodo