
Facebook now says its password leak affected ‘millions’ of Instagram users - BhavdeepSethi
https://techcrunch.com/2019/04/18/instagram-password-leak-millions/
======
tptacek
I will say here what I said on security Slack just a few minutes ago:

Security people see shit like this all the time. Facebook found a raw request
log, which inevitably contained lots of passwords. Rather than doing what most
tech companies would have done --- delete the log and pretend nothing ever
happened --- they disclosed the log in a fashion that guaranteed a whole news
cycle about it.

I don't like Facebook. Facebook is bad. But Facebook handled this about as
well as I've seen anyone handle this. Cheers to them for that. This story is
not a good reason to single Facebook out.

~~~
blueboo
> Security people see shit like this all the time

At incompetent startups with no expertise in security

> found a raw request log, which inevitably contained...

But the existence of the log is not inevitable! Is it so inreasonable to hold
Facebook to a professional standard?

> they disclosed the log in a way

They snuck in an amendment to a previously posted press release while the
press was in an uproar about the Mueller report!

They handled this in about as clumsy and dishonest a way as possible. Knowing
the executive team, I dare say that -is- as good as we can expect.

~~~
wglb
>At incompetent startups with no expertise in security

Not exclusively.

------
hw
So Facebook "determined" that the passwords were not "internally abused" or
"improperly accessed". But, they could have been accessed. When employees have
access to passwords, how does FB know that they were not transferred outside
of FB? An employee could have taken pictures, or have a photographic memory
and remember a large number of passwords.

~~~
orev
If they were sitting in a log file somewhere, you could probably audit who had
accessed them. The file permissions might have allowed access, but the audit
logs could show that nobody did.

P.S. I have no knowledge of what actually happened.

------
sudhirj
I really want to be a fly on the wall at the meeting where the inevitable "you
shouldn't have done this" statement is countered with "but you said we should
move fast and break things".

------
zeko1195
This would never happen at Amazon and I am sure at every other major tech
company. There are systems in place to prevent exactly this.

~~~
tptacek
I don't know enough about Amazon to call bullshit on this, but I do know
enough about other major tech companies to call bullshit on this.

~~~
OrgNet
Which other large company store plain text passwords? How long before they
start trying to re-use the passwords to log in other services without your
consent

~~~
ceejayoz
> Which other large company store plain text passwords?

That's not really what Facebook is saying they did. They accidentally logged
passwords to a log file somewhere. They're not saying they stored them in the
users database in plain text.

~~~
OrgNet
Right, but it has the same end result.

Also, I guess they don't look at their log files? The passwords were there in
clear text for 7 years apparently:
[https://techcrunch.com/2019/03/21/facebook-plaintext-
passwor...](https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/)

~~~
ceejayoz
> Right, but it has the same end result.

Irrelevant. The point was that "we accidentally logged something sensitive" is
something any big tech company can (and is likely to) do. Deliberately storing
passwords as plaintext in the users table much less so.

> Also, I guess they don't look at their log files?

If they were temporarily logging something for a particular reason, and forgot
to turn it off, there'd be no reason to.

------
codequeen
what a complete mess

~~~
hw
A mess is probably an understatement.

I've been wrestling with them for turning off access via their Graph API to a
public resource on a Page where the Page has access to that resource, and
their rationale was due to the great privacy changes they're making to protect
users privacy. While they're busy breaking the apps that businesses rely on to
manage their Facebook Pages (without prior notice, ala the whole Instagram API
fiasco), they aren't protecting the one thing that allows access to a user's
privacy - passwords.

------
krupan
We have had the cryptographic technology for _year_ that allows us to
authenticate ourselves to third parties without giving them secret
information. Why are we still using passwords?

