Facebook added to a blog post from March 21 on Thursday to let users know that instead of storing tens of thousands of passwords, as it had reported last month, the number of users affected by the privacy breach was in the millions. (Photo: Reuters)
Apr 19, 2019
In what critics described as a classic "news dump," Facebook appeared to take advantage of the Mueller report capturing the nation's attention to reveal at the same time that millions of users' passwords had been stored on the site in an unsecured manner.
On Thursday, Facebook added to a blog post from March 21 to let users know that instead of storing tens of thousands of Instagram passwords, as it had reported last month, the number of users affected by the privacy breach was in the millions. Facebook is the parent company of Instagram.
"Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format," wrote Pedro Canahuati, vice president of Engineering, Security and Privacy. "We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others."
The stored passwords were found in January during a routine security check, according to Facebook. In March, when the breach was first announced, the company said the passwords were never visible to anyone outside of Facebook.
However, the passwords were stored in plain text--meaning employees could access and read the data. The company wrote that the passwords were not "internally abused or improperly accessed."
A number of critics noted that the revelation--which was shared in a nondescript blog post during a major news event--appeared to be orchestrated to attract as little attention as possible.
"That is how you news dump," wrote Alex Heath, a reporter who covers social media at Cheddar.
\u201cIncredible: While the Muller report was being released, Facebook updates an old press post titled \u201cKeeping Passwords Secure\u201d with the new disclosure that millions of Instagram account passwords were internally stored in readable plaintext. https://t.co/BiDfq1G8N3\u201d— Alex Heath (@Alex Heath) 1555610549
\u201cThat is how you news dump.\u201d— Alex Heath (@Alex Heath) 1555610549
\u201cThis blog post title is like if you were announcing your divorce with the title \u201cKeeping Marriage Secure"\u201d— Alex Heath (@Alex Heath) 1555610549
\u201cSo Facebook chooses the busiest news day of the year to drop an announcement that millions of Instagram passwords have been compromised. \n\nAnd they do it by adding an editor's note to a blog post from *March 21*. Amazing.\n\nhttps://t.co/r6JYNRvE43\u201d— Ethan DeWitt (@Ethan DeWitt) 1555674600
"Attempting to hide bad news can often backfire for a company," wrote Heather Kelly of CNN Business. "It could land during a quiet time when nothing else is going on and be a big story, or it could lead to reporters writing about a company's habit of trying to bury news before holidays."
The news of the password breach also coincided with reports that Facebook had "unintentionally" collected 1.5 million email contacts from users, without their consent, starting in May 2016.
Users were asked to enter their email addresses to verify their identities when signing up for Facebook, and during that process the company was able to gather their contacts "to improve Facebook's ad targeting, build Facebook's web of social connections, and recommend friends to add," according to Business Insider.
\u201cRemember when we learned Facebook was asking some new users for email passwords for the stated purpose of "verification," then using the passwords to scrape contact info?\nIt happened for almost 3 years and "unintentionally" vacuumed up 1.5 million contacts.https://t.co/zwhHlOS9Ax\u201d— EFF (@EFF) 1555621566
Facebook is currently under investigation by the Department of Justice and the Federal Trade Commission for its sharing of users' data with outside developers including Cambridge Analytica, a political consulting group with ties to President Donald Trump's 2016 campaign.
On Friday, the Washington Postreported that federal regulators are specifically targeting Facebook CEO Mark Zuckerberg in their probe of the company.
"The days of pretending this is an innocent platform are over," Roger McNamee, an early Facebook investor who has criticized the company over its privacy breaches and effects on U.S. democracy, told the Post, "and citing Mark in a large scale enforcement action would drive that home in spades."
Join Us: News for people demanding a better world
Common Dreams is powered by optimists who believe in the power of informed and engaged citizens to ignite and enact change to make the world a better place. We're hundreds of thousands strong, but every single supporter makes the difference. Your contribution supports this bold media model—free, independent, and dedicated to reporting the facts every day. Stand with us in the fight for economic equality, social justice, human rights, and a more sustainable future. As a people-powered nonprofit news outlet, we cover the issues the corporate media never will. |
Our work is licensed under Creative Commons (CC BY-NC-ND 3.0). Feel free to republish and share widely.
In what critics described as a classic "news dump," Facebook appeared to take advantage of the Mueller report capturing the nation's attention to reveal at the same time that millions of users' passwords had been stored on the site in an unsecured manner.
On Thursday, Facebook added to a blog post from March 21 to let users know that instead of storing tens of thousands of Instagram passwords, as it had reported last month, the number of users affected by the privacy breach was in the millions. Facebook is the parent company of Instagram.
"Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format," wrote Pedro Canahuati, vice president of Engineering, Security and Privacy. "We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others."
The stored passwords were found in January during a routine security check, according to Facebook. In March, when the breach was first announced, the company said the passwords were never visible to anyone outside of Facebook.
However, the passwords were stored in plain text--meaning employees could access and read the data. The company wrote that the passwords were not "internally abused or improperly accessed."
A number of critics noted that the revelation--which was shared in a nondescript blog post during a major news event--appeared to be orchestrated to attract as little attention as possible.
"That is how you news dump," wrote Alex Heath, a reporter who covers social media at Cheddar.
\u201cIncredible: While the Muller report was being released, Facebook updates an old press post titled \u201cKeeping Passwords Secure\u201d with the new disclosure that millions of Instagram account passwords were internally stored in readable plaintext. https://t.co/BiDfq1G8N3\u201d— Alex Heath (@Alex Heath) 1555610549
\u201cThat is how you news dump.\u201d— Alex Heath (@Alex Heath) 1555610549
\u201cThis blog post title is like if you were announcing your divorce with the title \u201cKeeping Marriage Secure"\u201d— Alex Heath (@Alex Heath) 1555610549
\u201cSo Facebook chooses the busiest news day of the year to drop an announcement that millions of Instagram passwords have been compromised. \n\nAnd they do it by adding an editor's note to a blog post from *March 21*. Amazing.\n\nhttps://t.co/r6JYNRvE43\u201d— Ethan DeWitt (@Ethan DeWitt) 1555674600
"Attempting to hide bad news can often backfire for a company," wrote Heather Kelly of CNN Business. "It could land during a quiet time when nothing else is going on and be a big story, or it could lead to reporters writing about a company's habit of trying to bury news before holidays."
The news of the password breach also coincided with reports that Facebook had "unintentionally" collected 1.5 million email contacts from users, without their consent, starting in May 2016.
Users were asked to enter their email addresses to verify their identities when signing up for Facebook, and during that process the company was able to gather their contacts "to improve Facebook's ad targeting, build Facebook's web of social connections, and recommend friends to add," according to Business Insider.
\u201cRemember when we learned Facebook was asking some new users for email passwords for the stated purpose of "verification," then using the passwords to scrape contact info?\nIt happened for almost 3 years and "unintentionally" vacuumed up 1.5 million contacts.https://t.co/zwhHlOS9Ax\u201d— EFF (@EFF) 1555621566
Facebook is currently under investigation by the Department of Justice and the Federal Trade Commission for its sharing of users' data with outside developers including Cambridge Analytica, a political consulting group with ties to President Donald Trump's 2016 campaign.
On Friday, the Washington Postreported that federal regulators are specifically targeting Facebook CEO Mark Zuckerberg in their probe of the company.
"The days of pretending this is an innocent platform are over," Roger McNamee, an early Facebook investor who has criticized the company over its privacy breaches and effects on U.S. democracy, told the Post, "and citing Mark in a large scale enforcement action would drive that home in spades."
In what critics described as a classic "news dump," Facebook appeared to take advantage of the Mueller report capturing the nation's attention to reveal at the same time that millions of users' passwords had been stored on the site in an unsecured manner.
On Thursday, Facebook added to a blog post from March 21 to let users know that instead of storing tens of thousands of Instagram passwords, as it had reported last month, the number of users affected by the privacy breach was in the millions. Facebook is the parent company of Instagram.
"Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format," wrote Pedro Canahuati, vice president of Engineering, Security and Privacy. "We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others."
The stored passwords were found in January during a routine security check, according to Facebook. In March, when the breach was first announced, the company said the passwords were never visible to anyone outside of Facebook.
However, the passwords were stored in plain text--meaning employees could access and read the data. The company wrote that the passwords were not "internally abused or improperly accessed."
A number of critics noted that the revelation--which was shared in a nondescript blog post during a major news event--appeared to be orchestrated to attract as little attention as possible.
"That is how you news dump," wrote Alex Heath, a reporter who covers social media at Cheddar.
\u201cIncredible: While the Muller report was being released, Facebook updates an old press post titled \u201cKeeping Passwords Secure\u201d with the new disclosure that millions of Instagram account passwords were internally stored in readable plaintext. https://t.co/BiDfq1G8N3\u201d— Alex Heath (@Alex Heath) 1555610549
\u201cThat is how you news dump.\u201d— Alex Heath (@Alex Heath) 1555610549
\u201cThis blog post title is like if you were announcing your divorce with the title \u201cKeeping Marriage Secure"\u201d— Alex Heath (@Alex Heath) 1555610549
\u201cSo Facebook chooses the busiest news day of the year to drop an announcement that millions of Instagram passwords have been compromised. \n\nAnd they do it by adding an editor's note to a blog post from *March 21*. Amazing.\n\nhttps://t.co/r6JYNRvE43\u201d— Ethan DeWitt (@Ethan DeWitt) 1555674600
"Attempting to hide bad news can often backfire for a company," wrote Heather Kelly of CNN Business. "It could land during a quiet time when nothing else is going on and be a big story, or it could lead to reporters writing about a company's habit of trying to bury news before holidays."
The news of the password breach also coincided with reports that Facebook had "unintentionally" collected 1.5 million email contacts from users, without their consent, starting in May 2016.
Users were asked to enter their email addresses to verify their identities when signing up for Facebook, and during that process the company was able to gather their contacts "to improve Facebook's ad targeting, build Facebook's web of social connections, and recommend friends to add," according to Business Insider.
\u201cRemember when we learned Facebook was asking some new users for email passwords for the stated purpose of "verification," then using the passwords to scrape contact info?\nIt happened for almost 3 years and "unintentionally" vacuumed up 1.5 million contacts.https://t.co/zwhHlOS9Ax\u201d— EFF (@EFF) 1555621566
Facebook is currently under investigation by the Department of Justice and the Federal Trade Commission for its sharing of users' data with outside developers including Cambridge Analytica, a political consulting group with ties to President Donald Trump's 2016 campaign.
On Friday, the Washington Postreported that federal regulators are specifically targeting Facebook CEO Mark Zuckerberg in their probe of the company.
"The days of pretending this is an innocent platform are over," Roger McNamee, an early Facebook investor who has criticized the company over its privacy breaches and effects on U.S. democracy, told the Post, "and citing Mark in a large scale enforcement action would drive that home in spades."
We've had enough. The 1% own and operate the corporate media. They are doing everything they can to defend the status quo, squash dissent and protect the wealthy and the powerful. The Common Dreams media model is different. We cover the news that matters to the 99%. Our mission? To inform. To inspire. To ignite change for the common good. How? Nonprofit. Independent. Reader-supported. Free to read. Free to republish. Free to share. With no advertising. No paywalls. No selling of your data. Thousands of small donations fund our newsroom and allow us to continue publishing. Can you chip in? We can't do it without you. Thank you.