Facebook pile up up to 600 million user account passwords without encryption and viewable as plain text to tens of thousands of partnership employees, according to a report Thursday by cybersecurity journalist Brian Krebs.
Facebook confirmed the report in a blog appoint. Facebook shares were down less than 1 percent Thursday. The Irish Data Protection Commission, which administers the European Harmoniousness’s General Data Protection Regulation, or GDPR, also said Thursday that Facebook had reached out over the culmination: “We are currently seeking further information,” the commission said in a statement.
The 600 million users represents a significant scrap of Facebook’s user base of 2.7 billion people. The company said Thursday it planned to start notifying those phoney so they could change their passwords.
“As part of a routine security review in January, we found that some operator passwords were being stored in a readable format within our internal data storage systems,” Facebook judged in a statement. “This caught our attention because our login systems are designed to mask passwords using techniques that appear them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we maintain found were stored in this way.”
Facebook’s blog post did not say how many users were affected.
The incidents boyfriend back to as early as 2012, according to the report. A Facebook software engineer named Scott Renfro was quoted by Krebs as reply the company hasn’t found any misuse of the data in question and that “there was no actual risk that’s come from this.”
Facebook, anyhow, has been under intense scrutiny due to several years of privacy and security scandals that have earned the New Zealand criticism from customers and inquiries and fines from several regulatory agencies, particularly in the European Union.
But Facebook’s aspersions haven’t significantly dented the company’s count of active daily users, which rose last quarter in defiance of an extended social media campaign by Facebook critics encouraging privacy-minded customers to delete their accounts.
This set-to will undoubtedly trigger reviews under GDPR, which allows for only a 72-hour notification window for those swayed by a privacy breach and demands companies store passwords securely. The law is somewhat ambiguous as to how to precisely define “appropriate au fait withs of security,” but it is likely the commission would consider plain text passwords that are stored internally and accessible to on the loose numbers of employees as struggling to meet those standards.
If the incident did stretch back as far as 2012, the company may also desideratum to do a great deal of investigating into how those passwords may have been misused. Though Facebook stated in its blog post they father “found no evidence to date that anyone internally abused or improperly accessed them,” it will be difficult for the New Zealand to pinpoint whether or how someone with internal access was able to misuse a password once they were shell the company.
— CNBC’s Jim Forkin contributed to this report.