Facebook employees seem to be able to access any users’ password in plain text  

I was reading through this fascinating article about former Facebook employee, Katherine Losses’ disillusion with Facebook and how she moved away from the company.

As part of the customer service team, she was supposedly given a ‘master password’ (we knew this existed) that gives access to any Facebook data. Apparently, this includes passwords;

“She could go into pages to fix technical problems and police content. Losse recounted sparring with a user who created a succession of pages devoted to anti-gay messages and imagery. In one exchange, she noticed the man’s password, “Ilovejason,” and was startled by the painful irony.”

Seriously? Facebook doesn’t encrypt their users’ passwords, and their staff can just access them? What is going on here? The password should be hashed, both in the database and in transit, so how was she able to access it? This is absolutely unacceptable, and horribly bad security practice. Nobody inside the company should be able to decrypt the password manually and it definitely should not be stored in an easily accessible manner.

This is terrifying to hear, especially if the company still practices giving their staff (no matter how ‘important’ they are) this level of access. Other companies, like Google, are never able to retrieve information like this and must reset users’ passwords to gain access to accounts.

 
18
Kudos
 
18
Kudos

Now read this

Motorola’s brief stint as a Google company was an attempt to change the course of Android

Earlier today, the news broke that Motorola Mobility would be acquired from Google by Lenovo for a cool $2.91 Billion. Google purchased Motorola for $12.5 billion in August 2011. The move seemed out of character and very perplexing at... Continue →