On March 21, Facebook announced that they had discovered an internal security flaw, in which hundreds of millions of user passwords had been stored in their systems in an unencrypted, plain text, readable format. While typically passwords undergo security processes known as “salting” and “hashing” that make them unreadable without special algorithms, over the course of several years, Facebook has been storing many passwords in plain text.
The passwords stored in readable format were only accessible to internal employees. Per Facebook, no external breach of these passwords has occurred, nor have these passwords been abused or improperly accessed internally.
As noted, over 100 million users of Facebook, Facebook Lite, and Instagram have been affected. Storage for these passwords has since been corrected, with salting and hashing applied to them. Affected users have been informed by Facebook and assured that no negative consequences have occurred.
ACA Aponix Guidance
ACA Aponix recommends taking the following actions regarding the Facebook password storage issue:
- Affected users may benefit from changing their password, choosing passwords considered complex and strong (e.g., mixing alphanumeric and special characters, avoiding common words, increasing password length, etc.).
- Non-affected users may likewise benefit from changing passwords in Facebook and Instagram, opting for complexity and strength as well.
- Opt-in for multi-factor authentication to supplement password security.
- Ensure that password protection policies are in place on a company-wide basis and provide additional training to staff regarding password selection in all environments.
How ACA Aponix Can Help
ACA Aponix offers the following solutions that can help your firm ensure strong security in light of the Facebook password storage announcement:
- Cybersecurity and technology risk assessments
- Data privacy compliance
- Phishing testing and cyber awareness training
- Penetration testing and vulnerability assessments
- Policies, procedures, and governance
- Cyber incident response planning
- Vendor diligence and management
- Threat intelligence
For More Information
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.