Why Facebook waited 3 months to disclose its latest privacy screw-up

Facebook is all about making the world more open and connected, except perhaps when it comes to sharing its own colossal privacy screw-ups with its more than 2 billion users.

After KrebsOnSecurity first reported that the company had been storing hundreds of millions of users’ passwords in plain text since as far back as 2012, Facebook VP of engineering Pedro Canahuati rushed to publish a blog post noting the error was discovered in January. In other words, three months ago. 

That Facebook waited until the news was already out in the world to cop to a seriously negligent security and privacy error shouldn’t come as a surprise to anyone who’s been paying attention, but the lack of shock shouldn’t translate to resignation. Facebook could have notified users early, but chose not to. 

Facebook could have notified users early, but chose not to.

The question of why Facebook kept quiet until its hand was forced matters. Was it simply a prudent security decision, or rather an attempt to cover its own ass after an embarrassing error?

We reached out to Facebook in an attempt to answer this question, but unsurprisingly received no response as of press time. Troy Hunt, a security researcher perhaps best known for running the breach disclosure site HaveIBeenPwned, was significantly more willing to chat. 

“I suspect Facebook decided not to initially disclose the issue as they had no evidence of the data being used maliciously,” he wrote over Twitter direct message. “I can understand that position insofar as whilst the storage was clearly improper, without a compromise of the stored data the impact on customers would have been zero.”

This, of course, assumes that the passwords weren’t improperly accessed. Facebook claims as much in its blog post, but that requires you to trust Facebook. Which, well, you’d be forgiven for not jumping at the opportunity. 

Still, even Hunt admits that by waiting to disclose the password screw up until after the Krebs article dropped, Facebook played itself. 

“[The] ‘optics’ of it are bad and with the benefit of hindsight, this is the sort of thing which would very possibly have leaked anyway and proactively disclosing as Twitter and GitHub did last year may have been a wiser course of action.”

Hunt was referring to a similar situation, albeit on a smaller scale, at Twitter in 2018. There, the company said user passwords were stored “unmasked in an internal log,” and that users should change their passwords as a result. 

Notably, Facebook is not recommending that users change passwords — a stance that conveniently lines up with the company’s claim that it “found no evidence to date that anyone internally abused or improperly accessed them.” Importantly, finding no evidence to date that something happened is not the same thing as it not happening. 

Still, there may be a reason for Facebook’s delay in coming forward that paints the company in a more favorable light.  

Patrick Wardle, a security researcher and co-founder of Digita Security, told Mashable over Twitter direct message that he speculates Facebook waited as long as it did for understandable reasons. 

“[If] i had to venture a guess, FB probably wanted to understand the full scope of the situation,” he wrote. “[Were] there other DBs? Did anybody access them? etc etc[.]”

He went on to add, while noting that he is not a specific expert on data breaches, that he doubts “there was any malice in waiting so long … perhaps, even the opposite[.]”

So, assuming you take Facebook at its word that no one accessed the plain text passwords over the course of the last 7 years, there’s nothing really to worry about. And, the Mark Zuckerberg-branded “dumb fucks” that we are, we can just keep on going about our daily Facebook business.