It is truly breathtaking that a company of Facebooks size and influence failed to notice that it was logging user passwords in cleartext for more than seven years and that those passwords had been exposed in more than 9 million searches over that time period.
It is important to recognize that Facebooks never-ending stream of security breaches have almost all involved its public interfaces, rather than remote hackers penetrating its networks and exfiltrating its databases.
It is even more important to remember that almost all of the companys breaches to date have involved the data of its users, not Facebooks own data.
In other words, Facebook is quite competent when it comes to securing data it views as valuable, such as its own records.
When it comes to its users, however, the companys willful disregard for the safety, security and privacy of its users now appears to extend to the companys handling of their passwords.
The vector through which the breach occurred, developer logging, reminds us of how easy it is for even the most sensitive information to leak across a company through improper logging practices. Gone are the days when companies didnt think twice about transferring user credentials in the clear and storing them in plaintext in wide-open internet-connected databases with default passwords .Yet, even companies that follow all standard security best practices can suffer breaches if they dont meticulously control how every piece of sensitive information flows through their entire infrastructure.
If a company can hemorrhage its most sensitive user data and even access credentials again and again and again and again without losing any of its users and in fact continue to grow rapidly during that period, perhaps there is no longer a reason to even bother trying to secure our networks, since users apparently no longer care if their data is stolen.Original article