> found Meta to have inadvertently stored certain passwords of social media users on its internal systems without encryption, and fined it €91m (£75m)
WTF? I thought that on 2010 already people were diligent enough to avoid even sending the password and instead just hashed it locally before even sending it.
That is not standard even today. The main threat is in transit over the network, which https/TLS solves, but obviously this won’t stop error traces or logging on the server from including request bodies.
If you do hash locally (not sure I’ve seen any big players do this), you also need to be hashing server side (or else the hash is basically a plain text password in the database!)
That said, I’m not sure why companies don’t adopt this double hashing approach. Complexity maybe? I know it could limit flexibility a little as some services like to be able to automatically attempt capitalization variations (eg. caps lock inverse) on the server. Anyways in 2026 we should all be using passkeys (if they weren’t so confusing to end-users, and so non-portable)
Extremely doubtful to have occurred in the past 10 years. It's pretty much impossible to access anything on the graph without a business reason and managerial approval.
I was at a party once with Facebook employees and they were telling stories about how they would spy on who visited who's profiles. They thought it was so funny, they could "tell" who had a crush on who. I deleted my account as soon as I got home. Vile company.
what i understood is that "showing up on their suggested friends list is creepy, and it's an information leak". the way i read that is that they would prefer not to show when someone visited their profile. and that's what i consider creepy.
Wouldn't surprise me. Everyone clutches their pearls and hits the downvote button as soon as you mention the Zucc quote, but has there really been any evidence that the company culture has matured away from "They Trust Me - Dumb fucks"?
Absolutely not. I'm no friend of Zucc, but the graph is protected by a permission system that won't show almost anything for employees without a making a request including legitimate business reason, for a limited time and scope, and managerial approval.
> found Meta to have inadvertently stored certain passwords of social media users on its internal systems without encryption, and fined it €91m (£75m)
WTF? I thought that on 2010 already people were diligent enough to avoid even sending the password and instead just hashed it locally before even sending it.
That is not standard even today. The main threat is in transit over the network, which https/TLS solves, but obviously this won’t stop error traces or logging on the server from including request bodies.
If you do hash locally (not sure I’ve seen any big players do this), you also need to be hashing server side (or else the hash is basically a plain text password in the database!)
That said, I’m not sure why companies don’t adopt this double hashing approach. Complexity maybe? I know it could limit flexibility a little as some services like to be able to automatically attempt capitalization variations (eg. caps lock inverse) on the server. Anyways in 2026 we should all be using passkeys (if they weren’t so confusing to end-users, and so non-portable)
That's never been standard. Passwords in log files is a common issue, crazy you can get fined 8 digits for it.
Extremely doubtful to have occurred in the past 10 years. It's pretty much impossible to access anything on the graph without a business reason and managerial approval.
This would've been an embarrassing security lapse in 2007. In 2024(?) it's despicable.
I was at a party once with Facebook employees and they were telling stories about how they would spy on who visited who's profiles. They thought it was so funny, they could "tell" who had a crush on who. I deleted my account as soon as I got home. Vile company.
That must have been a long time ago. Nowadays there are a lot of safeguards and that's one of the things that gets you fired right away.
Nowadays when you visit someones profile you show up on their suggested friend list. Creepy or cute, a deliberate information leak.
viewing someones profile without them knowing is not creepy?
It is creepy, that's what they're saying.
what i understood is that "showing up on their suggested friends list is creepy, and it's an information leak". the way i read that is that they would prefer not to show when someone visited their profile. and that's what i consider creepy.
I keep reading same statements here for past 10+ years, every time some similar fuckup @fb happens. Every. Single. Time.
0 trust in that company, 0 trust in its employees.
Wouldn't surprise me. Everyone clutches their pearls and hits the downvote button as soon as you mention the Zucc quote, but has there really been any evidence that the company culture has matured away from "They Trust Me - Dumb fucks"?
Wouldn’t it be nice if the scope of what you witnessed was limited to that one company…
What other companies have the scope of Meta(-stasis) FB?
Google, since you asked.
But the point is: Facebook attracts these employees, it doesn’t breed them.
Are they able to see these data of whichever user whenever they want with no trails at all??
It certainly sounded like it, or that no one cared about the trails since they thought it was so hilarious.
Absolutely not. I'm no friend of Zucc, but the graph is protected by a permission system that won't show almost anything for employees without a making a request including legitimate business reason, for a limited time and scope, and managerial approval.
Tesla employees talk about recordings of people fucking in cars around the watercooler
Hope the host checked thoroughly for missing property after everyone left, because I wouldn't put it past a metamate.
What a creep.
What is it that Zuck called people who trusted him? Oh right
Dumbfucks