NPC: FB’s risky password storage ‘not a security incident’
MANILA, Philippines — Facebook says there’s no proof that the passwords of hundreds of millions of users have been accessed by its employees, prompting the Philippines’ National Privacy Commission (NPC) to not yet consider it a security incident.
In a statement, the NPC said it had discussed the issue with Arianne Jimenez, Facebook’s privacy and public policy manager for Asia Pacific, who made this claim after the social media giant found itself in the middle of yet another privacy issue.
The account passwords of 200 million to 600 million users were “stored in plain text and searchable by thousands of Facebook employees,” according to cybersecurity blog “Krebs on Security,” which broke the news. The post was authored by former Washington Post reporter Brian Krebs.
The blog post was published on March 21.
On the same day, Facebook issued a statement saying that glitch was spotted during a routine security review in January, but it claimed that it was already “fixed.”
So far, it’s still not certain how the Philippines is affected, a country which London-based consultancy We Are Social said has 67 million Facebook users.
NPC Commissioner Raymund Liboro told the Inquirer that they were still trying to get more details from Facebook, which would hopefully shed a light to the extent of impact on Filipino users.
“Right now, we’re not considering this as a security incident,” he said in a brief phone interview.
However, when asked how NPC would verify Facebook’s claim that no harm was done, he said it would be a matter of “wait and see.”
Given how complex Facebook’s system is, Liboro said this might mean having to wait for an “informal” way by which the claim could be disproved, such as an employee getting a picture of the data set.
“Their system is complex. Facebook is like the factory of Willy Wonka. You don’t know what is inside there. You just know it produces chocolates. It’s like that,” he said.
“The proof of compromise sometimes takes many forms. Sometimes, it takes time,” he added.
Nevertheless, Liboro said in a statement that the storage of Facebook passwords in plain text “needlessly exposed people to risk” from ill intent or even from just being compromised by accident.
“Even if there is shown to be no evidence of abuse, there is little comfort in knowing that the world’s largest repository of personal data practices such lax internal controls,” it added. /atm
Subscribe to INQUIRER PLUS to get access to The Philippine Daily Inquirer & other 70+ titles, share up to 5 gadgets, listen to the news, download as early as 4am & share articles on social media. Call 896 6000.