For years, the passwords of hundreds of millions of Facebook users have been stored unencrypted on servers, as the social network announced on Thursday. Although the problem is now resolved, users should respond to the data breach.
Because unencrypted stored passwords are a high risk: To protect users, passwords on online platforms are usually never stored in plain text, but initially made illegible with an algorithm. For each password, a so-called cryptic checksum is generated, but does not allow the conclusion of the password. The cryptic hash value is stored on the server. This allows a software to check the password as it is entered, without having to save it in plain text.
On the Facebook servers, however, the passwords were unprotected - users should therefore act now. Here are the answers to the most important questions:
How can I find out if my password has been saved in clear text?
The number of passwords stored in clear text is enormously high. IT security expert Brian Krebs, who first reported on the security margin on his blog, estimates that passwords of up to 600 million users are stored unencrypted on Facebook servers. This would affect around a quarter of the world's 2.7 billion members of the social network.
Facebook has announced that all concerned users will be informed. When exactly the e-mails are sent, however, is unclear. On a request from SPIEGEL ONLINE states that you can not make an accurate time yet.
Which platforms are affected?
According to the company, especially passwords of users of the slimmed-down Android app Facebook Lite appear in the list. But also tens of thousands of access data from Instagram should have been stored unprotected on the servers.
In addition, Facebook also works as a door opener for many other portals. The social network can be connected to apps and websites so that users do not have to create a new account there. Many popular sites like AirBnB, Spotify and the video app TikTok leave it to new members, whether they prefer to re-register or sign up via Facebook.
If you have access to the Facebook password, you can also log in to other pages in many cases. If you want to find out which pages are linked to the Facebook login, you can display a list of all linked websites in the settings. There, users can cut the connection between online portals and the Facebook account.
How long were the passwords unprotected on the servers?
In a routine check in January, Facebook developers had noticed the data breach and eliminated according to their own information. How long the passwords were stored there unprotected, to Facebook does not want to comment. But it could be several years. According to Brian Krebs, data sets with plain text passwords are well into 2012.
Has anyone already abused the access data?
That is hard to say. According to Facebook, the passwords have been seen only by Facebook employees and not from the outside. There was no evidence that "anyone within the company misappropriated or accessed the access data".
However, it is difficult to prove whether the credentials could have leaked out or whether one of the 20,000 Facebook employees accessed the database. To SPIEGEL ONLINE a corporate spokeswoman says: "We maintain strict technical controls and rules to restrict the access of employees to the user data." There is a "zero-tolerance approach to abuse" and inappropriate behavior leads to dismissal.
more on the subject
On "cancer on security" but it says that there had been quite some access to the passwords - Brian Krebs had spoken with an informant from the company. Internal protocols would indicate that 2000 developers had made about nine million searches, whose search parameters were set to user passwords in plain text.
Do I need a new password?
Yes. Although apparently only a part of the users is affected, everyone should change their passwords for Facebook and Instagram. The risk is too great that data could have come into the hands of strangers - and yet users can not even know if their passwords are affected. With access data, unauthorized persons can not only see what the user is distributing for "likes" and which pages he or she follows. With the Facebook password can also read all sent and received messages in Facebook Messenger.
In addition to a new and secure password, it is recommended to enable two-factor authentication. The registration becomes cumbersome for the user, but also almost impossible for strangers. Facebook offers to send an additional login code to the smartphone when creating a new application or to create it using an app such as the Google Authenticator. The user can uniquely identify himself with the mobile device.