Related:
EU privacy regulator fines Meta 91M euros over password storage https://news.ycombinator.com/item?id=41669912 - September 2024 (28 comments)
[dupe] More: https://news.ycombinator.com/item?id=41669912
No way this was accidental. You'd fail an interview for suggesting something like this.
Sounds like they logged passwords in plaintext. I seriously doubt that was done intentionally.
I think every developer has some idea how this could have happened.
Someone is working on a bug. "I'll print this state out to console and remove before committing." Forgets to remove it and does git add *. Its overlooked in code review and is then pushed to prod. Once running, the stdout of the process is automatically shipped to some log database. And just like that, there are now passwords in plaintext in the log database.
Sloppy as hell? Sure. Malicious? Highly unlikely.
My favorite is "I'll log out the state of this object, it's all okay for privacy because I've checked every field and gotten the privacy reviews to prove it" then a few months later someone adds a new field to the object not realizing it's logged by a lower layer to a table no one remembers exists....
Then a month later someone queries that table and....oh shit.
Thats a good one. Seems like a scenario that is even more likely to happen because it would be much harder to find it in a code review than printf("user: %s, password: %s", userName, password) especially in a very large codebase. There is a lot less negligence required (though obviously not completely negligent free)
You’d fail an interview for doing a bunch of things that are done in orgs every day. What’s your point?