Does anyone remember an article/interview a while back where Mark Fuckerberg shamelessly admitted that he chose not to hash passwords in the original Facebook codebase specifically because he wanted to be able to log into his users’ other accounts that use the same password? I swear I remember reading something like this but now I can’t find it.
instead of in an encrypted format on its internal systems.
Riiight, like that’s any better. Jokes aside, it’s hard to imagine what kind of “mistake” results in storing plain text instead of hashing, unless the mistake was in choosing whoever made the security assessment
There was a previous article on this with more explanation that I’m struggling to find.
The gist was that they do hash all passwords stored, the problem was that there was a mistake made with the internal tool they use to do that hashing which led to the passwords inadvertently going into some log system.
Makes sense now, thank you
“mistake”
I call BS. The reviews I’ve gone through for trivial stuff would’ve exposed this.
This was intentional.
Hanlon’s Razor revised: Never attribute to malice what can be attributed to incompetence, except where there is an established pattern of malice.
Then incompetence at a level that’s incomprehensible.
A code review certainly exposed this, and some manager signed off on the risk.
Again, changes I make are trivial in comparison, and our code/risk reviews would’ve exposed this in no time.
Yeah, cause trivial systems are a lot easier to parse and review. At a base level that’s nonsense logic.
My point being the extensiveness of a review process.
The more important a system, the more people it impacts, etc, the more extensive the review process.
Someone chose to ignore this risk. That’s intentional.
You quite frankly, don’t know what happened and if you’re confident it’s intentional, all that says is that you’re a grump who likes to complain.
Christ, the hell I would’ve gotten, in the 90’s, if I’d done something like this.
101 million is too small for such an epic error.
I think it is just Ireland though (which is why I added Ireland to the title).
Seriously. Didn’t they make billions last year? That number should be much, much higher for Zuck & Co. to actually start giving a fuck.
Any kind of encryption requires storing the key in plain text. Still nice to see Meta being fined though.
The author of the article is clearly just confusing “encryption”, “cryptography” and “hashing”. Reading the full article makes it clear that the intention was to salt and hash the passwords, not encrypting them.
Google did it too for a decade
