NPC: FB’s risky password storage ‘not a security incident’
In this April 4, 2013 file photo, Facebook CEO Mark Zuckerberg walks at the company’s headquarters in Menlo Park, California. Facebook says it is launching new artificial intelligence technology to find intimate pictures that may have been uploaded without the consent of the photo’s subject. Facebook says it will be able to spot the photos and videos known as ‘revenge porn’ and send them to be reviewed. (Photo by MARCIO JOSE SANCHEZ / AP)
MANILA, Philippines — Facebook says there’s no proof that the passwords of hundreds of millions of users have been accessed by its employees, prompting the Philippines’ National Privacy Commission (NPC) to not yet consider it a security incident.
In a statement, the NPC said it had discussed the issue with Arianne Jimenez, Facebook’s privacy and public policy manager for Asia Pacific, who made this claim after the social media giant found itself in the middle of yet another privacy issue.
The account passwords of 200 million to 600 million users were “stored in plain text and searchable by thousands of Facebook employees,” according to cybersecurity blog “Krebs on Security,” which broke the news. The post was authored by former Washington Post reporter Brian Krebs.
The blog post was published on March 21.
On the same day, Facebook issued a statement saying that glitch was spotted during a routine security review in January, but it claimed that it was already “fixed.”
So far, it’s still not certain how the Philippines is affected, a country which London-based consultancy We Are Social said has 67 million Facebook users.
NPC Commissioner Raymund Liboro told the Inquirer that they were still trying to get more details from Facebook, which would hopefully shed a light to the extent of impact on Filipino users.
“Right now, we’re not considering this as a security incident,” he said in a brief phone interview.
However, when asked how NPC would verify Facebook’s claim that no harm was done, he said it would be a matter of “wait and see.”
Given how complex Facebook’s system is, Liboro said this might mean having to wait for an “informal” way by which the claim could be disproved, such as an employee getting a picture of the data set.
“Their system is complex. Facebook is like the factory of Willy Wonka. You don’t know what is inside there. You just know it produces chocolates. It’s like that,” he said.
“The proof of compromise sometimes takes many forms. Sometimes, it takes time,” he added.
Nevertheless, Liboro said in a statement that the storage of Facebook passwords in plain text “needlessly exposed people to risk” from ill intent or even from just being compromised by accident.
“Even if there is shown to be no evidence of abuse, there is little comfort in knowing that the world’s largest repository of personal data practices such lax internal controls,” it added. /atm
