Statement of Privacy Commissioner Raymund Enriquez Liboro on Facebook’s Use of Plain Text in Stored Passwords
1. Today Facebook announced that millions of users’ passwords were discovered in January to be stored in a readable format within their internal data storage systems. This first came about after a revelation by a security expert, who claims that this practice has been going on since 2012 and that the passwords could be accessed by more than 20,000 employees of Facebook.
2. The storage of Facebook passwords in plain text needlessly exposed people to risk. Passwords that are stored in plain text are more easily and readily stolen by those who intend harm; they may even be compromised by accident.
3. In a conversation this afternoon with Facebook Privacy and Public Policy Manager for Asia Pacific, Arianne Jimenez, we sought more details. Jimenez reaffirmed that they found no evidence so far that anyone internally abused or improperly accessed the said dataset and said they will be notifying everyone affected.
4. Even if there is no evidence of abuse, there is little comfort in knowing that the world’s largest repository of personal data practices such lax internal controls. In a 2018 study, the Ponemon Institute (a global information security think tank) found that 60% of businesses indicated that their data breaches come from negligent employees or contractors. 1
5. If you are affected and you receive notice from Facebook, change your passwords immediately and enable multi-factor authentication. Begin to exercise better digital hygiene. For more information, visit our 30 Ways to Love Yourself web post at privacy.gov.ph/30-ways/.