The Internet is circulating information that Facebook has “leaked the passwords of 600 million users” and that “for several years they were made available on one server in plain text”, i.e. without encryption. This is not entirely true …
600 million passwords for Facebook users without encryption
In fact, the passwords of 600 million users were on the server and were not encrypted. But the server was not publicly available – the machine was in the internal Facebook network and access to it since 2012 had exclusively Facebook employees. Only 20,000 Facebook employees …
Facebook claims that this is an oversight and that after verifying the access history to these data, there is no indication that some of the employees have abused them. Setback? Yes. Powerful! But everything points to the fact that it is not as dangerous as some people who describe this event in the media would like. Bashful for it very much.
The incident leaked to the media thanks to anonymous Facebook employee
Facebook informed about the incident today in a press release entitled “Keeping passwords secure”. But Facebook probably would not have done it if it was not for the article by Brian Krebs, which one Facebook employee contacted. This employee decided to disclose the problem to the journalist, because he upset the legal department of Facebook, who downplayed the results of an internal investigation aimed at determining how long and how many passwords actually were on the internal server.
source : Krebson Security