In what critics described as a classic “news dump,” Facebook appeared to take advantage of the Mueller report
capturing the nation’s attention to reveal at the same time that
millions of users’ passwords had been stored on the site in an unsecured
On Thursday, Facebook added to a blog post from March 21 to let users know that instead of storing tens of thousands of Instagram passwords, as it had reported last month, the number of users affected by the privacy breach was in the millions. Facebook is the parent company of Instagram.
“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format,” wrote Pedro Canahuati, vice president of Engineering, Security and Privacy. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”
The stored passwords were found in January during a routine security check, according to Facebook. In March, when the breach was first announced, the company said the passwords were never visible to anyone outside of Facebook.
However, the passwords were stored in plain text—meaning employees could access and read the data. The company wrote that the passwords were not “internally abused or improperly accessed.”
A number of critics noted that the revelation—which was shared in a nondescript blog post during a major news event—appeared to be orchestrated to attract as little attention as possible.
“That is how you news dump,” wrote Alex Heath, a reporter who covers social media at Cheddar.
Incredible: While the Muller report was being released, Facebook updates an old press post titled “Keeping Passwords Secure” with the new disclosure that millions of Instagram account passwords were internally stored in readable plaintext. https://t.co/BiDfq1G8N3— Alex Heath (@alexeheath) April 18, 2019
“Attempting to hide bad news can often backfire for a company,” wrote Heather Kelly of CNN Business. “It could land during a quiet time when nothing else is going on and be a big story, or it could lead to reporters writing about a company’s habit of trying to bury news before holidays.”
The news of the password breach also coincided with reports that Facebook had “unintentionally” collected 1.5 million email contacts from users, without their consent, starting in May 2016.
Users were asked to enter their email addresses to verify when signing up for Facebook, and during that was able to gather their contacts “to improve Facebook’s , build Facebook’s web of social connections, and to add,” according to Business Insider.
Remember when we learned Facebook was asking some new users for email passwords for the stated purpose of "verification," then using the passwords to scrape contact info?— EFF (@EFF) April 18, 2019
It happened for almost 3 years and "unintentionally" vacuumed up 1.5 million contacts.https://t.co/zwhHlOS9Ax
Facebook is currently under investigation by the Department of Justice and the Federal Trade Commission for its sharing of users’ data with outside developers including Cambridge Analytica, a political consulting group with ties to President Donald Trump’s 2016 campaign.
On Friday, the Washington Post reported that federal regulators are specifically targeting Facebook CEO Mark Zuckerberg in their probe of the company.
“The days of pretending this is an innocent platform are over,” Roger McNamee, an early Facebook investor who has criticized the company over its privacy breaches and effects on U.S. democracy, told the Post, “and citing Mark in a large scale enforcement action would drive that home in spades.”
THIS ARTICLE ORIGINALLY POSTED HERE.