Which other large company store plain text passwords? How long before they start trying to re-use the passwords to log in other services without your consent
> Which other large company store plain text passwords?
That's not really what Facebook is saying they did. They accidentally logged passwords to a log file somewhere. They're not saying they stored them in the users database in plain text.
Irrelevant. The point was that "we accidentally logged something sensitive" is something any big tech company can (and is likely to) do. Deliberately storing passwords as plaintext in the users table much less so.
> Also, I guess they don't look at their log files?
If they were temporarily logging something for a particular reason, and forgot to turn it off, there'd be no reason to.
I think you're assuming the passwords were stored in readable format as a matter of design. That would get reviewed and flagged at any moderately competent tech company.
I think it was probably something more inane like a POST body being logged. That could slip through a reviewer's crack easily.
Gateways filter that before internal services see anything. There's not any reason to be playing with passwords beneath the Authentication layer. Credentials should be exchanged for the customer identity and expirable nonce. If that mistake happened in the authentication/authorization layer then it becomes a big question of competence.
Funny that you mention Amazon, because open S3 buckets have been implicated in dozens of security breaches.
It's not so much that Amazon is the culpable party in those instances, but so many times, have I encountered a headline citing a "massive exposure of protected data" and somewhere in the body of the article, someone had dropped everything into an S3 bucket marked open read for public everyone.
So, is it Amazon's fault? This sort of thing was an FTP server thing, before S3 reduced the hardware infrastructure overhead of setting up and maintaining your own secure FTP server...
But, then again, lowering the technical bar meant letting in more and more non-experts, and naive, or otherwise less competant people. This, of course, broadens market penetration, and increases revenue. So, to add barriers, irritating warnings, nanny-goat advisories, hazard alarms to such a versatile and useful product might seem tantamount to leaving money on the table. After all, the goal of the product is ease of use. And, by the way, how does one solve the problem of bone-headed users?
But, you know, there's the real distinction between an AWS S3 data breach and a Facebook data breach: with S3, you've shot yourself in the foot. Facebook, on the other hand, is pointing a gun at you.