Back in March, Facebook published a blog post in which the company admitted millions of Facebook user passwords and tens of thousands of Instagram user passwords had been accessible to employees for at least seven years because they were being stored unencrypted.
Oh, you didn’t know about that? Join the club. But wait, it gets worse.
In the original blog post, Facebook said…
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way
To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.
Fast forward to Thursday, April 18th, and whoops, there were more Instagram users’ passwords unencrypted than they thought. A LOT MORE.
Facebook added this paragraph to their blog post, which, and I am just spitballing here, was probably not seen by most Instagram users.
(Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).
But wait again, it somehow gets even WORSE.
According to The Daily Dot…
Facebook also came under fire late last month after it was learned that the social media site was asking individuals looking to create new accounts to provide the passwords to their personal emails for verification purposes. Just this Wednesday, it was learned that after obtaining those passwords, Facebook harvested the email contacts of 1.5 million people and used the data for advertising purposes.
Facebook’s statement about that unauthorized invasion of people’s internet privacy?
“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time,” a Facebook spokesperson said in a statement to Business Insider. “When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account.”
Oh, well, since they did it “unintentionally” that’s makes it all okay, right?
• After 18 Month Investigation, British Parliament Issues Scorching Report Slamming Facebook
• Facebook Employees Busted Posting 5-Star Amazon Reviews For The Company’s Portal Devices
• Was The Facebook ’10 Year Challenge’ Actually A Covert Meme Scheme To Mine Data?
• Facebook Allowed 150 Companies To Read And Delete Your Private Messages Including Amazon, Apple, Netflix And Spotify
• Facebook Admits Most Of 2 Billion Users May Have Had Personal Data Scraped
• New Report Says Facebook Harvests Call And Texting Info From Android Phones
• WhatsApp Co-Founder Who Made Billions From Facebook Advises People To #DeleteFacebook
• Ex-Google, Facebook Employees Have Allied To Stop Technology From ‘Hijacking Our Minds And Society’