Facebook's password bungle
newsroom-hero-image-password-security.png#asset:9304

It's not as if Facebook isn't tied up in one of the worst privacy breaches in modern history already, desperately trying to convince users to trust them, but a new revelation has come to light: the company accidentally stored hundreds of thousands of passwords in plain text for years.

A report from Krebs on Security first detailed the security failures, which Facebook had not yet announced:

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

What happened? A simple programmer error: the company's logging included user requests in transit, before the passwords were hashed in the database, which wound up in text-based logs, as well as its 'data warehouse.'

Facebook responded a few hours later, saying that it would notify and reset passwords for "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users." The post devolves into talking about how Facebook uses "best security practices" but is not forthcoming with any information about why this happened.

Technically speaking, there was no actual data breach... if you ignore the 2,000 engineers that may have accessed them in the time that the passwords were unencrypted across nine million log searches. How this could be ignored for so long, with so many engineers poking around in the same logs, is baffling.

The company has been sitting on this information for at least three months, with engineers being alerted to the issue in January, and a "task force" was set up" to find anywhere this was happening. Still, the company didn't disclose this until Krebs came forward, which isn't particularly reassuring about its supposed newfound attempts at transparency on user data.

Now, I'm not saying there's a pattern of misleading users here, but on the very same day The Guardian reported that a court filing by the attorney general for Washington DC alleged that Facebook sat on the Cambridge Analytica breach for months as well, as much as six months before it was first reported by the media.

Look, all I'm saying is if your company is planning to "pivot to privacy" and focus on encryption, and you can't encrypt a password to save yourself, why in the world should users trust what you're saying at all? 🤦‍♀️


Tab Dump

Good read: Instagram is the internet's new home for hate, by the incredible Taylor Lorenz

As Uber approaches IPO, it picks NYSE for listing
It's looking like April is going to be a blockbuster month for going public, with both Uber and Pinterest slamming the accelerator on their plans to hit the market while it's hot. Genuinely, I'm just excited to get a peek under the hood of these companies when their S1 filings slide in.

Amazon tests video ads in its shopping app, in a shot across the bow for Google's mobile advertising

China's Tencent files dramatic earnings miss
A freeze on new gaming licenses in China has hit hard, and Tencent is struggling with the realities of that: it saw net income fall 32% in one quarter, but scrambled to grow other parts of the business successfully in order to soften the blow.

The MPAA says that streaming video just passed cable subscriptions for the first time globally

Apple signed Vox for news subscription service and Recode is reporting that Apple's streaming service is actually a storefront for streaming services