... No plaintext passwords is always the first thing I taught students when they were learning auth. That's a pretty surprising mistake to make it through a huge engineering team.

 

This is likely a logging problem, not an auth problem. They store passwords as salted hashes for validation purposes. But some http logging doesn't exclude/scrub these request properly so they end up in Elastic. Why would your logs be encrypted?

In fact I expect this is only occurs with change password, not with auth or account creation. Others have been hit with this like that before.

Not to say this isn't terrible and boneheaded, but it's likely not quite as boneheaded as it first sounds.

 

Based on some of what I remember from the book Accidental Billionaires, Facebook did a lot of stuff that is mind-bogglingly renegade. Bad even for even small startups.

So it probably isn’t “as bad as it sounds”, but Facebook shows up in the news in these ways too often to get much benefit of the doubt.

I just read the TechCrunch article, 2,000 engineers had access to these logs. That's mind-blowing to me.

Yeah, Facebook is one of the most Valley-est of Valley companies as far as "move fast and break things" since they don't care at all about their users. Securing data according to any sort of "need to know" could slow them down so they don't bother.

As far as I know they invented “move fast and break things” or are at least synonymous with it.

Yep, afaict Mark Zuckerberg coined it, and it was a Facebook company motto until around 2014. Though I can't seem to find any original sources from the time, it seems the famous quote is: "Move fast and break things. Unless you are breaking stuff, you are not moving fast enough."

(Also: m.xkcd.com/1428/)

 
 

Yeah, this is pretty much the cardinal sin of infosec right here. I get that the circumstances that led to this were complicated, but honestly for a system used by so many people who will likely use the same password somewhere else, there should have been some sort of automated thing setup to make sure this can't happen anywhere, similarly to how major banks and other highly regulated companies will use that same kinda thing to scan for PII in the wrong places.

As for the actual impact on users, they're saying that they haven't detected any external access, but of course the danger is that there has been external access that they don't know about. Recommend changing your password on FB, and on any other services that you use the same password for (make sure they're unique after changing them).

 

Hence the benefit to use a Password Manager.
I should definitely write a blog post about it and how I managed to remove the hassle about password managers, multi OS (Windows, MacOs, Linux) and the mobiles (iOS, Android) and syncing all of that as simply as doing nothing (all done automatically after a first configuration). :-)
All of that on Open Source softwares and only on my devices (backup on a NAS or RaspberryPi).

 

Whats the benefit if the generated password is in their log ?

 

The benefit of using random generated passwords is that only the password for Facebook has leaked, which cannot be used to get access to any other place online.
Since the leak is known now and most likely addressed by Facebook ASAP, the only thing you have to do is to generate a new password for Facebook, and Facebook only. No need to hunt down all places online where you may or may not have recycled the same old password123.

Another good auth practice is using Two-Factor-Authentication when offered by a website. Such is the case with Facebook. So even a leaked Facebook password doesn't mean that your account is compromised right away when you make use of that.

Oh ! Didnt think of that ! Thanks for the explanation :)

A very useful website that you can use is :
haveibeenpwned.com/

You can try your email address against it and then know if your email address has been part of a data breach.

It is a website from Troy Hunt which a speaker and security professionnal. I encourage you to have a look at his website as well if you're interested in Security in general.
troyhunt.com/

 

Would love to read that. What software do you use? 👀

 

Actually, I wrote a post about setting up your own Dropbox and Evernote like using a Raspberry Pi and Open Source Software.
You can find it here :


Enjoy and tell me if you find it useful.
 

Hmm, somebody was just telling me how OAuth with Facebook was secure somehow.

It's not surprising. Facebook has zero interest in user privacy or user rights.

 

All this stuff is totally on-brand for them but it’s still to wild to be true.

 

Aaaaand that's what happens when you don't take security seriously no matter what your scale is. Sure you can get better with time but the problem that I see often is that security is the first thing that flies out the window. Now their problem was not taking care of this and run with it for too long. We all make mistakes but this got a bit out of hand.

 
 

https://vignette.wikia.nocookie.net/facepalm/images/e/ea/TripleFacePalm.jpg/revision/latest?cb=20101223062640

Because...

  • They do something that should not do.
  • To be caught doing that.
  • To have a record doing that. It's like those teens that commit a crime and they film it.
 
 

I got logged out from FB recently after 2 days of using it 😂😂. I can't log into my account anymore and I'm not attend to do so. R.I.P my account LOL!

t.me/theprogrammersclub

 

And I thought it can't get any worse with Facebook 🤪
But it seems that Facebook is full of surprises!

 

@ben you too, cross check the dev.to password algorithm.

 

Would it help if we start encrypting our passwords upon sign up? 🤣

 
 

Unbelievable. How can a Tech Giant like Facebook can do that? This is not only risky but also a stupid act of exposing everything.

Classic DEV Post from Jan 31

What are the least intuitive fundamentals and best practices in software development?

Some things we do kind of make sense in and of themself. Some things have evolv...

A Canadian software developer who thinks he’s funny.