It’s 2024 and passwords are still here. Not for too long, if you ask me.
1 year ago, I wrote a LinkedIn blog post about the transition to passwordless, cracking passwords and best practices for hashing passwords.
No matter how familiar you are with password cracking, hashing and encryption techniques – one thing should be obvious to any Appsec, Product Security or Software Engineer: storing passwords in clear text is a big no no.
Apparently, this wasn’t the case in Meta.
Meta has a quite notorious history when it comes to GDPR compliance breaches. Over the years, Meta has faced significant fines under the GDPR law primarily imposed by the Irish Data Protection Commission (DPC), as Meta’s European headquarters are in Ireland. This included 5 different occasions amounting to hundreds of millions of dollars.
This week Meta did it again and was fined $101.5M by the DPC, due to storing user passwords of hundreds of millions of users in clear text on its servers, back in an incident in 2019.
The DPC found that user passwords were exposed in clear text to thousands of Meta employees, security measures haven’t been taken and the company failed to report the breach promptly.
While GDPR does not specifically provide guidelines for password hashing and encryption, it strongly emphasizes the need for secure processing practices and data protection in Article 5(1)(f), Article 32 and Recital 83.
Here are the takeaways and guidelines from the Facebook data breach in 2024 which every organization should establish:
- Security is a team effort. This case emphasizes the importance of implementing a multilayered proactive approach to application security involving different teams reporting to CISOs: Appsec, Product Security, Security Engineering and Architecture, Red Teams, GRC as well as Engineering and R&D teams.
- Hashing and salting is 101. Passwords should always be hashed using modern hashing algorithms such as bcrypt, Argon2 or PBKDF2. A unique salt should be appended or prepended to each password to avoid collision and rainbow table attacks.
- Implement secure logging in your application. Use secure logging libraries, safe logging techniques like parameterized logging and pattern-based log masking filtering or obfuscation, sanitize user input prior to logging, enforce logs encryption and monitor logs for secrets. These practices can significantly mitigate the exposure and leakage of plain text passwords into logs.
- Cybersecurity governance is vital. Organizations should design and implement healthy cybersecurity governance and in particular clear policies, processes and procedures for prompt incident response and transparent breach reporting.
- CCM can significantly reduce the MTTD (Mean Time To Detect) of security and GDPR breaches. Continuous control monitoring (CCM) of key data privacy and security controls can significantly aid in automatically detecting application security and GDPR gaps and help to mitigate risks and take proper remediation and response steps.
Storing passwords in clear text is a glaring oversight that can have severe legal and financial consequences. Organizations must prioritize proactive security measures such as password hashing, secure logging, and continuous control monitoring to minimize risks.
By fostering a strong cybersecurity governance framework, companies can better detect, respond and report on breaches, protecting both their users and their bottom line from the repercussions of poor data handling practices.