[ad_1]
Hundreds of millions of Facebook The pbadwords of their users were stored in plain text and searchable by thousands of Facebook employees. In some cases, this goes back to 2012, KrebsOnSecurity has learned. Facebook indicates that an ongoing investigation has so far revealed no indication that any employees would have abused access to this data.
Facebook is investigating a series of security issues in which employees have been creating applications that log unencrypted pbadword data for Facebook users and storing it in plain text on internal company servers. This was said by a senior Facebook official who knows the investigation and who requested anonymity because they were not allowed to speak to the press.
According to the Facebook source, the survey has so far revealed between 200 and 600 million Facebook users whose account pbadwords had been stored in clear and searchable by more than 20,000 employees from Facebook. The source said that Facebook was still trying to determine how many pbadwords had been exposed and for how long, but the investigation has so far revealed archives containing user pbadwords in plain text dating from 2012.
My Facebook insider said that the access logs indicated that 2,000 engineers or developers had made about 9 million internal queries about data items containing plain text user pbadwords.
"The more we go in this badysis, the more the legal people will be comfortable [at Facebook] go with the lower limits "of affected users, said the source. "Right now, they are working to reduce that number even further by counting only the items we currently have in our data warehouse."
In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company was not ready to talk about specific numbers, such as the number of Facebook employees who accessed the data.
Renfro said the company was planning to alert affected Facebook users, but that no pbadword reset would be necessary.
"Until now, we have found no cases in our investigations where someone was intentionally looking for pbadwords, or signs of misuse of this data," Renfro said. . "In this situation, we found that these pbadwords were inadvertently recorded, but that there was no real risk. We want to make sure that we reserve these steps and that we force a pbadword change only in cases where there are clearly signs of abuse. "
A Facebook written statement provided to KrebsOnSecurity states that the company expects to notify "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands Instagram users. "fast connections and low-spec phones.
Github and Twitter have both been forced to admit similar difficulties over the past few months, but in both cases, plain text user pbadwords were available for a relatively small number of people within these organizations and for much shorter periods.
Renfro stated that the problem was uncovered in January 2019 when security engineers who reviewed a new code noticed that pbadwords were inadvertently written in plain text.
"This prompted the team to set up a small working group to make sure we were doing a broad review of everything that could happen," said Renfro. "We have a set of controls in place to try to mitigate these issues, and we are investigating long-term infrastructure changes to prevent this from happening. We are reviewing all the newspapers we have to see if there has been any abuse or other access to that data. "
Facebook's pbadword problems occur during a difficult month for the social network. Last week, The New York Times reported that federal prosecutors were conducting a criminal investigation into Facebook's data transactions with some of the world's largest technology companies.
Earlier in March, Facebook had been criticized by security and privacy experts for using phone numbers provided for security reasons – such as two-factor authentication – for security reasons. other stuff (such as marketing, advertising and the ability to search users by their phone number on different social network platforms).
Update, 11:43 am: Facebook has posted a statement about this incident here.
Tags: Facebook, free pbadwords, Scott Renfro
This entry was posted on Thursday, March 21st, 2019 at 11:17 PM and is filed under A Little Sunshine, The Coming Storm.
You can follow the comments of this entry via the RSS 2.0 feed.
You can go to the end and leave a comment. Ping is currently not allowed.
[ad_2]
Source link
