from Hacker News

Facebook now says its password leak affected ‘millions’ of Instagram users

by BhavdeepSethi on 4/18/19, 6:02 PM with 38 comments

  • by tptacek on 4/18/19, 7:20 PM

    I will say here what I said on security Slack just a few minutes ago:

    Security people see shit like this all the time. Facebook found a raw request log, which inevitably contained lots of passwords. Rather than doing what most tech companies would have done --- delete the log and pretend nothing ever happened --- they disclosed the log in a fashion that guaranteed a whole news cycle about it.

    I don't like Facebook. Facebook is bad. But Facebook handled this about as well as I've seen anyone handle this. Cheers to them for that. This story is not a good reason to single Facebook out.

  • by hw on 4/18/19, 6:52 PM

    So Facebook "determined" that the passwords were not "internally abused" or "improperly accessed". But, they could have been accessed. When employees have access to passwords, how does FB know that they were not transferred outside of FB? An employee could have taken pictures, or have a photographic memory and remember a large number of passwords.

  • by sudhirj on 4/18/19, 7:06 PM

    I really want to be a fly on the wall at the meeting where the inevitable "you shouldn't have done this" statement is countered with "but you said we should move fast and break things".

  • by zeko1195 on 4/18/19, 6:55 PM

    This would never happen at Amazon and I am sure at every other major tech company. There are systems in place to prevent exactly this.

  • by codequeen on 4/18/19, 6:46 PM

    what a complete mess

  • by krupan on 4/18/19, 7:19 PM

    We have had the cryptographic technology for year that allows us to authenticate ourselves to third parties without giving them secret information. Why are we still using passwords?