So Facebook "determined" that the passwords were not "internally abused" or "improperly accessed". But, they could have been accessed. When employees have access to passwords, how does FB know that they were not transferred outside of FB? An employee could have taken pictures, or have a photographic memory and remember a large number of passwords.
I really want to be a fly on the wall at the meeting where the inevitable "you shouldn't have done this" statement is countered with "but you said we should move fast and break things".
This would never happen at Amazon and I am sure at every other major tech company. There are systems in place to prevent exactly this.
what a complete mess
We have had the cryptographic technology for year that allows us to authenticate ourselves to third parties without giving them secret information. Why are we still using passwords?
I will say here what I said on security Slack just a few minutes ago:
Security people see shit like this all the time. Facebook found a raw request log, which inevitably contained lots of passwords. Rather than doing what most tech companies would have done --- delete the log and pretend nothing ever happened --- they disclosed the log in a fashion that guaranteed a whole news cycle about it.
I don't like Facebook. Facebook is bad. But Facebook handled this about as well as I've seen anyone handle this. Cheers to them for that. This story is not a good reason to single Facebook out.