Facebook stored passwords in plain text

Mar 21 39 Comments


Want to comment? LOG IN or SIGN UP
TOP 39 Comments
  • M*Modal / Eng stremf
    God, fuck Facebook so much. Seriously what a fucking drain on humanity. Its becoming more and more obvious that Facebook provides a net negative impact on society. Why do they pay engineers a half million dollars a year to ignore security best practices from 2003?
    Mar 21 17
    • Facebook / Eng SegTree
      Sure. You have four thousand products and one checkin could affect any one of them. Let’s spend a half year evaluating the impact of every checkin against every feature before we let it through. At that pace, we will launch our next set of features by the end of 2030!

      The very nature of software is that users can go from any state to any other state. The combination of all possible states is too large to enumerate. So we as software engineers test all the important/dangerous success/failure flows we can think of. Obviously we can’t test everything and it’s not worthwhile to test everything.

      This comes down to a trade off between execution pace and security/bugs. Obviously we try to strike the right balance, but when you’re treading a blurry line, there are bound to be mistakes.
      Mar 21
    • Facebook hphpd
      At no point, by the way, is this not a mistake. It's obviously a mistake, which is why we fixed it and are notifying affected users.

      My 2c is if you're going to be angry, at least get your facts straight, instead of peddling some fantasy scenario where everyone at Facebook is a monkey and we have never heard of hashing passwords before and nobody cares about security.

      If we didn't give a shit we wouldn't have bothered looking for these flaws in the first place.
      Mar 21
    • Intel / Eng DonaldDD's
      I yielded 6 paragraphs!!! :P
      Mar 21
    • Facebook / Eng SegTree
      Uh oh, you forgot to evaluate the implications of that last statement and it turns out it shows your insincerity to have a reasonable discussion. I guess you need more “oversight.”
      Mar 21
    • Flagged by the community.

  • Amazon / Eng Yesyou
    Ethics and doing the right thing are not included in their leetcode interviews.
    Mar 21 2
    • Amazon / Eng

      Amazon Eng

      Says an Amazon guy.
      Mar 21
    • Cisco SLmG30
      Mar 21
  • Verizon Media / Mgmt At1nlay
    Read before you post
    Mar 21 15
    • Cisco SLmG30
      The company says that people didn't have access, and we can completely trust their access control audit because they are so good and security best practices . . . Oh wait
      Mar 21
    • Facebook / Eng SegTree
      @At1nlay: I’m not saying, “It doesn’t matter because the database stores them securely.”

      I’m saying, “This wasn’t the result of some idiot carelessly deciding to store passwords in plaintext.” Most likely, the checkin that caused this wasn’t even related to passwords in the first place.

      Is this bad? Yes. Is it the result of complete incompetence or disregard for user security? Probably not.
      Mar 21
    • New vpkf84
      Segtree this from krebs:
      Mar 22
    • New vpkf84
      This article is saying passwords were stored in plaintext. What am I missing here??
      Mar 22
    • Facebook / Eng SegTree
      @vpkf84: The main user DB was not storing passwords in plaintext. Some auxiliary data store was.

      You realize we have more than 200-600 million users? You think we had a bug that resulted in us hashing some people’s passwords but not other peoples? Of course not...

      My guess is that someone added a feature like “oh let’s log the GET and POST vars from a sampling of requests and use that data to alarm when a DDoS is happened” (not that exact thing but something like it). Then someone else later probably came along and said something like “oh hey this is also sampling login requests.”

      Is it bad? Yeah. Is it the result of FB completely disregarding user security? Probably not.
      Mar 22
  • “Top tech company”
    Mar 21 0
  • Cisco vzIq77
    The engineers involved will receive promotions. I guarantee it.
    Mar 21 0


    Real time salary information from verified employees