從 Krebs on Security 這邊看到的:「Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years」,Facebook 官方的回應在「Keeping Passwords Secure」這邊。
幾個重點,第一個是範圍,目前已經有看到 2012 的資料都有在內:
The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.
另外的重點是這些資料已經被內部拿來大量搜尋 (喔喔):
My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
另外是 Legal 與 PR 都已經啟動處理了,對外新聞稿會美化數字,降低傷害:
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
另外也會淡化後續的程序�:
Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.
去年的另外一則新聞可以交叉看:「Facebook’s security chief is leaving, and no one’s going to replace him」:
Instead of building out a dedicated security team, Facebook has dissolved it and is instead embedding security engineers within its other divisions. “We are not naming a new CSO, since earlier this year we embedded our security engineers, analysts, investigators, and other specialists in our product and engineering teams to better address the emerging security threats we face,” a Facebook spokesman said in an email. Facebook will “continue to evaluate what kind of structure works best” to protect users’ security, he said.
看起來又要再換一次密碼了... (還好已經習慣用 Password Manager,所以每個站都有不同密碼?)
喔對,另外補充一個概念,當他們說「我們沒有證據有人存取了...」的時候,比較正確的表達應該是「我們沒有稽核這塊... 所以沒有證據」。
