Anatomy of a Breach

Anatomy of a Breach: Facebook — Hundreds of Millions of Passwords Stored in Searchable Plaintext

> series: anatomy_of_a_breach —— part: 124 —— target: facebook —— passwords: hundreds_of_millions —— storage: plaintext_in_logs —— accessible_by: 20,000_employees<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2019 11 min read
facebook plaintext-passwords internal-logging password-storage trust-erosion series
Breach #124

Hundreds of millions of passwords. In plaintext. In logs. Accessible to 20,000 employees. Since 2012.

On 21 March 2019, Brian Krebs reported — and Facebook confirmed — as Facebook acknowledged in a blog post — that hundreds of millions of passwords for Facebook, Facebook Lite, and Instagram users had been stored in plaintext within internal logging and data storage systems since as early as 2012. The passwords were searchable by approximately 20,000 Facebook employees through internal tools. Facebook's internal investigation found that approximately 2,000 engineers or developers had made approximately 9 million internal queries against the data stores containing plaintext passwords.

Facebook stated that it found no evidence of external compromise or internal misuse of the plaintext passwords — but the disclosure raised fundamental questions about Facebook's internal security practices. Passwords are supposed to be hashed using one-way algorithms (like bcrypt) immediately upon receipt, ensuring that even the service operator cannot read them. Storing passwords in plaintext in logging systems — accessible to thousands of employees for seven years — violated every password security principle documented throughout this series, from Adobe's 3DES catastrophe to LinkedIn's unsalted SHA-1.

What Went Wrong
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Logging systems that should never have seen passwords.

Passwords in Application Logs
The passwords were captured in application logs — a common misconfiguration where debug or error logging inadvertently records sensitive data. Our <a href="/penetration-testing/web-application">web application testing</a> includes log file analysis and sensitive data exposure checks, identifying exactly this type of misconfiguration.
20,000 Employees With Access
Approximately 20,000 employees could query the systems containing plaintext passwords. The principle of least privilege — limiting access to the minimum required for each role — was not applied to these internal data stores. Our <a href="/penetration-testing/infrastructure">internal penetration testing</a> assesses access controls on internal systems.
Seven Years Without Detection
The plaintext password storage had persisted since 2012 — seven years. Routine security audits, code reviews, or internal penetration testing should have identified passwords in log files. <a href="https://www.socinabox.co.uk">SOC in a Box</a> includes data exposure monitoring that detects sensitive data in inappropriate locations.
Three Facebook Incidents in 12 Months
<a href="/blog/anatomy-of-a-breach-cambridge-analytica">Cambridge Analytica</a> (March 2018), <a href="/blog/anatomy-of-a-breach-facebook-access-tokens">access tokens</a> (September 2018), and now plaintext passwords (March 2019) — three major security/privacy incidents within 12 months demonstrated a systemic pattern. For any organisation, multiple incidents in a short period indicates systemic security governance issues, not just individual failures.
Lessons

Passwords must never appear in logs, dashboards, or internal tools.

The Facebook plaintext passwords incident reinforced a fundamental security principle: passwords must be hashed immediately upon receipt and must never appear in plaintext in any system — including application logs, debug output, error reports, or internal analytics. Our web application testing verifies that sensitive data including passwords is not logged, and that password storage uses appropriate one-way hashing (bcrypt, Argon2).

Cyber Essentials mandates appropriate authentication controls. Our penetration testing identifies plaintext credential exposure in logs and internal systems. Data loss prevention through SOC in a Box detects sensitive data in inappropriate locations. And UK Cyber Defence provides the forensic investigation capability when credential exposure is discovered.

Password Security

Facebook stored hundreds of millions of passwords in plaintext for seven years. Are your passwords in your logs?

Our <a href="/penetration-testing/web-application">application testing</a> checks for credential exposure in logs. <a href="/cyber-essentials">Cyber Essentials</a> mandates appropriate password management.

Commission an Application Test Next: WhatsApp / NSO Pegasus
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2021

Anatomy of a Breach: GoDaddy — 1.2 Million WordPress Customer Credentials Exposed for Months

Breach #155. In November 2021, GoDaddy — the world's largest domain registrar and web hosting company — disclosed that an unauthorised party had accessed its Managed WordPress hosting environment using a compromised password. The breach, which had been active since at least 6 September 2021, affected approximately 1.2 million active and inactive Managed WordPress customers. Exposed data included email addresses, customer numbers, WordPress Admin passwords (stored in plaintext), sFTP and database credentials, and SSL private keys. The exposure of admin passwords and SSL certificates for 1.2 million WordPress sites created a massive attack surface for website defacement, data theft, and malware injection.

data-breach godaddy
13 min read
Anatomy of a Breach 30 April 2021

Anatomy of a Breach: Facebook — 533 Million Phone Numbers and Personal Data Posted Free Online

Breach #148. In April 2021, the personal data of approximately 533 million Facebook users from 106 countries was posted for free on a hacking forum. The data — originally scraped from Facebook in 2019 through an API vulnerability — included phone numbers, full names, locations, email addresses, and biographical information. Unlike previous Facebook incidents where data was sold on dark web marketplaces, the 533 million records were posted publicly and for free — making them accessible to anyone. The UK's share was approximately 11 million records. The leak demonstrated that scraped data, once collected, eventually becomes public — and that 'scraping is not a breach' is a distinction without a difference to the 533 million people whose data was exposed.

facebook 533-million
12 min read
Anatomy of a Breach 31 October 2018

Anatomy of a Breach: Facebook — 50 Million Access Tokens Stolen Through a 'View As' Vulnerability

Breach #118. On 28 September 2018, Facebook disclosed that attackers had exploited a chain of three vulnerabilities in the 'View As' feature to steal access tokens for approximately 50 million accounts — potentially allowing the attackers to take over those accounts entirely. Facebook forced a token reset for 90 million accounts. The breach, coming six months after the Cambridge Analytica scandal, further eroded trust in Facebook's security and was among the first major breaches reported under GDPR's 72-hour notification requirement.

data-breach facebook
12 min read
All Posts Get in Touch