Facebook’s unprotected passwords: Commentary from Paul Ducklin, senior technologist, Sophos:
- Should I change my Facebook password?
Sophos: Why not? It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this. But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused. Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed. So our advice is: change your password now.
2. Should I turn on two-factor authentication?
Sophos: Yes, turn on two-factor authentication (2FA) now. We’ve been urging you to do use two-factor authentication everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.
If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.
3.Should I close my Facebook account?
Sophos: We can’t answer that for you. Given that the wrongly-stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account. On the other hand, it’s a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step. In short, you have to decide for yourself. (If it helps you decide, we’re not closing our accounts.)
Paul Ducklin, senior technologist, Sophos