Should you change your Facebook password after plaintext password incident?

MANILA, Philippines – Facebook is once again in the midst of a user data controversy, this time, involving user passwords. 

Facebook confirmed, Thursday, March 21, that hundreds of millions of passwords were stored in plaintext – meaning they were stored in their servers as-is, as if you had merely written it down on a notebook, potentially leaving it open to exposure to prying eyes. 

Companies that store passwords hash the passwords. They're scrambled before being stored, so that if someone tries to look at them, they're not easily decipherable. Facebook, in this incident, appears to not have been able to do this. 

We've asked Facebook Philippines whether Filipinos were affected but while we wait for their response we ask: should we change our passwords right now?

 Two cybersecurity experts from cybersecurity firm Sophos have chimed in via an email to Rappler.

Paul Ducklin, senior technologist at Sophos, answers: "Why not? It's perfectly possible that no passwords at all fell into the hands of any crooks as a result of this. But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused. Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed." 

"So our advice is, change your password now," Ducklin finishes. Wired Magazine, similarly, tells users to change their passwords now.  

Ducklin also reminds users to once again turn on two-factor authentication (2FA) now. "We've been urging you to do use two-factor authentication everywhere you can anyway – it means that a password alone isn't enough for crooks to raid your account," he says.

For those reluctant to give Facebook their phone number, Ducklin advises using app-based authentication that generates a one-time code each time you log in. 

John Shier, senior security advisor at Sophos, talks about the nature of the incident, saying it may have been caused by an accidental programming error.

"While the details of the incident are still emerging, this is likely an accidental programming error that led to the logging of plain text credentials. That said, this should never have happened and Facebook needs to ensure that no user credentials or data were compromised as a result of this error," Shier said.

While Ducklin says they won't be deleting their own Facebook accounts, he says that "on the other hand, it's a pretty poor look for Facebook," and that it's up to the user to decide whether or not to delete Facebook in light of the incident. –

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.