Are you a Facebook user? If you are, it may be time to change your password. KrebsOnSecurity recently reported that it found hundreds of millions of Facebook user account names and passwords stored in plain text and searchable by more than twenty-thousand Facebook employees. At present, there is no official count, but Facebook says the total number of records was between 200,000 and 600,000.
That’s a big number, which makes this a serious incident, but in truth, it represents only a fraction of the company’s massive user base.
Although there’s no indication that any Facebook employee abused their access to the information, the fact remains that it was accessed regularly. The investigation to this point has revealed that no less than 2,000 engineers and developers made more than nine million internal queries to the file.
Facebook software engineer Scott Renfro, interviewed by KrebsOnSecurity, had this to say about the issue:
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data.
In this situation, what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
This is just the latest in an ongoing series of security-related issues Facebook has found itself in the midst of. While the company is wrestling with making changes to prevent such incidents in the future, that’s small comfort to the millions of users that have been adversely impacted over the last year.
According to the official company statement, unless you receive a notification from them, there’s nothing you need to do and no need to change your password. But given the importance of data security, if you’d rather be safe than sorry, it certainly couldn’t hurt.