Facebook password mess alarms body

MANILA, Philippines — The National Privacy Commission (NPC) has expressed displeasure over the latest controversy involving social media company Facebook, which revealed on Thursday the discovery that millions of passwords were stored in readable format. 

Privacy commissioner Raymund Liboro said on Friday he has raised the matter with Arianne Jimenez, Facebook’s privacy and public policy manager for Asia Pacific, who maintained that the data were not internally abused or improperly accessed. 

Liboro criticized the company over the issue, saying the storage of passwords in plain text needlessly exposed people to risk. 

“Passwords that are stored in plain text are more easily and readily stolen by those who intend harm; they may even be compromised by accident,” Liboro said. 

“Even if there is no evidence of abuse, there is little comfort in knowing that the world’s largest repository of personal data practices such lax internal controls. In a 2018 study, the Ponemon Institute (a global information security think tank) found that 60 percent of businesses indicated that their data breaches come from negligent employees or contractors,” he added. 

Liboro urged those affected to change their passwords immediately and enable multi-factor authentication. 

Facebook’s vice president for engineering, security and privacy Pedro Canahuati said they discovered the matter during a routine security review in January. 

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” he said.

“We have fixed these issues and as a precaution we will be notifying everyone whose password we have found were stored in this way,” he added.

Canahuati maintained the passwords were never visible to anyone outside of the company and that they have found no evidence that anyone internally abused or improperly accessed them.

Nevertheless, they will still notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users” whose passwords were stored in the said format, he said.

Canahuati recommended users should take precautions to secure their accounts, including changing their passwords.

He recommended avoiding reusing passwords across different services and picking strong and complex passwords with the help of password manager applications.

“Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third-party authentication app,” he said.

“When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you,” he added.

The Facebook official maintained there is nothing more important to them than protecting user information, vowing to continue making improvements as part of their ongoing security efforts.

“In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them,” he said.

Canahuati added they have various security measures in place to help protect people’s accounts.

Among these measures are the use of signals to detect suspicious activities on accounts, as well as a system that enables users to register a physical security key to an account.

“Knowing some people reuse passwords across different services, we keep a close eye on data breach announcements from other organizations and publicly posted databases of stolen credentials,” Canahuati said.

“We check if stolen email and password combinations match the same credentials being used on Facebook. If we find a match, we’ll notify you next time you login and guide you through changing your password,” he added.