Recent password compromise incidents

@Facebook

Security expert Brian Krebs of KrebsonSecurity reported 200–600 million user’s passwords were logged in unencrypted form, accessible to 20,000 employees/Facebook developers. According to Facebook’s statement, the situation is not that bad because no passwords were exposed to people outside of Facebook, and found no evidence to date that anyone internally abused or improperly accessed it.

Reference: https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

@Twitter

A similar incident is reported with Twitter back in May 2018, where Twitter asked all 300+ million users to reset their passwords, citing user passwords via a bug that stored passwords in plain text. Again twitter said it had fixed the bug and from its investigation didn’t find any signs of a breach or anyone misused it.

Reference: https://www.theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now

@Github

Another incident in Github reported said a similar bug exposed some user passwords in plaintext. Github had sent an email to affected users to reset their passwords. Per the official statement from Github — these passwords were not accessible to the public or other GitHub users at any time.

Reference: https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/

Conclusion:

People believe that bad actors (for various motivations) with inside access are the root cause of many famous data breaches in the past. These incidents could be unintentional, but they only confirm the severe threat to user data privacy and security.