An anonymous Facebook source informed Krebs today at some point in January their security team discovered that they've been logging millions of user passwords in plaintext, surprising exactly no one. These logs were presumably never accessible to anyone outside of Facebook, but potentially might have been accessed by employees. While passwords were encrypted in transit and hashed in storage, in logs they were unsecured.
While unfortunate and irresponsible, this is a mistake many developers make; logs are incorrectly not considered a sensitive asset. A savvy attacker, having gained access to a system, can learn quite a bit from logs, which are pretty much never encrypted.
Dev teams must be trained in Security 101, and move past the paradigm of "lets build it first and secure it later"; we all know how long technical debt can languish in backlogs. Software must be designed to be secure from the start.
Facebook has released a statement regarding this leak, not saying much else besides that they've been reviewing their logging practices and found this same issue in several other places. Hopefully they learn from this and improve their practices, and inspire other teams to also review their own policies.
@riking "let's just log this string real quick to see if it's correct..." *log statement stays in code base for years*
A small community of meme gardeners, planting and nurturing ideas.