Facebook fails to protect hundreds of millions of passwords: how to change yours

A server glitch has exposed hundreds of millions of user passwords to Facebook employees, a study has found.

Security researcher Brian Krebs wrote on his website Krebs On Security that a source at the social media firm claimed that the passwords were stored on internal servers in plaintext, a simple text document format, and could be accessed by up to 20,000 Facebook staff.

The source told Krebs that an internal Facebook investigation indicates between 200 million and 600 million passwords were stored, none of which was protected by encryption, a security format that converts a file into a jumbled code to prevent any unauthorised parties from viewing it.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

According to The Guardian, most of the passwords stored on the servers came from Facebook Lite users, a version created for countries “where mobile data is unaffordable or unavailable”, but the leak also affects those who use the regular app.

In a statement, Facebook’s vice-president of security, Pedro Canahuati, said the passwords “were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them”.

Nevertheless, he said, the company estimates “that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”.

Canahuati adds that the social media firm rectified the issues once it discovered them, but it will continue to investigate how it stores user information.

How to change your password

Although Facebook “isn’t initiating a reset” of everyone’s passwords, security experts often advise users to reset their login details in the event of a data breach, says Fortune.

One of the simplest ways to reset your access details is to select “forgot password” at the Facebook login screen, the news site says. This involves you resetting your password through a one-time link, which is sent by email.

Many people, however, have set their account up to automatically log them in as soon as they enter the app or visit the website.

For computer users, head to the downward-facing arrow in the top right-hand corner of the screen and select “Settings”, The Sun says. Then select “Security and Login” on the left-hand side of the screen and press “Change Password”.

On the Facebook app, press the three horizontal lines on the bottom right-hand corner and scroll down to “Settings and Privacy”. Once here, press “Settings”, followed by “Security and Login” and then “Change Password”.

It’s best to avoid simple passwords such as “12345678” as these can be easily guessed by cyber criminals. Instead, you should choose a password with a mix of numbers, letters and punctuation (if permitted) to create a code that only you would know.