Change your Facebook and Instagram passwords immediately. Facebook stored hundreds of millions of passwords in plain text.

It’s hard to believe but yes, it happened again. Facebook users’ information has once again been compromised. This time, it is our passwords and hundreds of millions of Facebook users (and may I add, Instagram users too) are affected. According to Pedro Canahuati, VP Engineering, Security and Privacy of Facebook in a post on Facebook Newsroom dated March 21, 2019, the passwords were in readable format but he said that “these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

Facebook did not give details as to which particular application caused the problem but they did say that this was revealed in January of this year during a “routine security review”.

I personally tend to believe that while the passwords were readable and readily available, Facebook’s engineers or anyone else internally never took advantage of the security hole, as Facebook claims. However, this is not what worries me. What I worry about is that this is not the first time that user information has not been adequately protected.

There is the Cambridge Analytica incident still hounding Facebook. Just recently, I read a Gizmodo article that stated: “The attorney general for the District of Columbia may have obtained internal company emails showing that Facebook had knowledge of Cambridge Analytica’s data-harvesting efforts months sooner than CEO Mark Zuckerberg let on last year.” In that fiasco, Cambridge Analytica was found to have obtained data on millions of Facebook users without their explicit consent. If this Gizmodo article turns out to be true, doesn’t that look like an attempted coverup? The Cambridge Analytica case has not been fully resolved yet.

For a company as big as Facebook, holding so much personal information on hundreds of millions of private individuals, you would think that security and privacy would be top priority. Finding out that passwords were stored in plain text makes me very nervous about what else isn’t properly secured and protected by Facebook. Will it just be a matter of time before another breach is discovered within Facebook? How exposed are we going to be?

Facebook has said that in the coming days, it will be informing affected users on Facebook and Instagram. Fine. But it has to do more to assure Facebook users that our personal data and privacy are going to be addressed and internal control systems tightened even more.

What do we do now? Here are a few suggested actions.

1. 1. Immediately change the passwords of your Facebook and/or Instagram accounts and ensure that your password is very strong.
   2. Use a reliable password manager to generate a strong, random password for you. I have been using a password manager for years now and find it very convenient. Some such password managers are 1Password, Dashlane, and Last Pass. My passwords are over 20 characters long and consist of upper- and lowercase letters, digits and special symbols and I change them regularly.
   3. Enable two-factor authentication (2FA). Caveat: I am a bit iffy about activating 2FA with a mobile number. This article by TechCrunch says that people are discovering that Facebook has allowed people to look up user profiles using mobile numbers and has used those numbers also for targeted ads. Instead, I would recommend that you activate 2FA using a third party app like Google Authenticator (which I use). Here’s an article that shows you how to do that.
   4. Set up a login alert. On Facebook, go to Settings-Security and Login-Set Up Extra Security. Turn the alert on. You can also choose if the alert notification will be sent to you on Facebook, Messenger, and/or email. There is an option to have it sent to your mobile but considering what I mentioned in item 3 above, you don’t want to provide your mobile number to Facebook.

Thanks for reading till the end. Now go and change those passwords! Good luck!