Reading Wikipedia this morning, I came across an interesting tidbit from the days when facebook was still thefacebook.com. As seen in The Social Network, after launching the site Mark Zuckerberg was under investigation for potentially stealing the idea from the Winklevoss brothers.
Not covered in the movie though, while this investigation was going on Zuckerberg did a little investigating of his own, by accessing the email accounts of the investigators:
Zuckerberg knew about the investigation so he used TheFacebook.com to find members in the site who identified themselves as members of the Crimson. He examined a history of failed logins to see if any of the Crimson members have ever entered an incorrect password into TheFacebook.com. In the cases in which they had failed to login, Mark tried to use them to access the Crimson members’ Harvard email accounts, and he was successful in accessing two of them. In the end, three Crimson members filed a lawsuit against Zuckerberg which was later settled.
The way I read this, thefacebook.com was logging failed passwords! Meaning, when you entered an incorrect password on thefacebook.com’s login page, the website would save the text you entered. Obviously websites have to have a record of your password in order to authenticate you. Passwords are normally encrypted in such a way that developers cannot access the password. The wikipedia article doesn’t say whether or not regular passwords were encrypted.
However, if you were intending to use a website you created to log into email accounts of the site’s users, collecting passwords that failed would give you more passwords to try when logging in to those user’s third party email accounts.
Zuckerberg was caught breaking in to 2 accounts, but one has to wonder how many other accounts he broke in to. Remember, in 2004 (prior to gmail), email accounts did not have 2-factor authentication, they did not detect suspicious login activity, they did not have the security features we’ve come to take for granted. Anybody could log into any body else’s email accounts undetected.
Password security is the most basic of implicit trust between a website and its users. A site that is logging passwords and password attempts cannot be trusted, period.
Who knows if or how the culture at Facebook has changed. Nevertheless, if the company’s CEO was willing to exploit users for personal gain in the early days, what sort of things are they willing to do when governments or other powerful entities pressure them?