Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Facebook Stored Passwords of Hundreds of Millions Users in Plain Text

Facebook today admitted to have stored the passwords of hundreds of millions of its users in plain text, including the passwords of Facebook Lite, Facebook, and Instagram users. 

Facebook today admitted to have stored the passwords of hundreds of millions of its users in plain text, including the passwords of Facebook Lite, Facebook, and Instagram users. 

The social platform says it discovered the mishap as part of a routine security review in January, but that the passwords were stored in a readable format within its internal data storage systems, and that only its employees had access to the data. 

The issue has been addressed, and all of the affected users will be notified, Facebook announced. 

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company says

The number of impacted users, however, is very large. The social platform estimates that hundreds of millions of people using Facebook Lite, tens of millions of other Facebook users, and tens of thousands of its Instagram users are impacted. 

“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,” the company says. 

According to security blogger Brian Krebs, Facebook is currently investigating a series of incidents regarding employees who “built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.”

Krebs also says that the passwords of between 200 million and 600 million Facebook users may have been stored in plain text, and that over 20,000 Facebook employees may have been able to search those passwords. 

Some of the passwords might have been stored in plain text for seven years, Krebs says. 

Facebook, which has been subject to broad criticism last year, after it was revealed that it shared users’ data with other companies without informing the impacted people, says it stores users’ passwords in line with security best practices, masking them so that “no one at the company can see them.”

“With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text,” the company claims. 

A report earlier this month revealed that US prosecutors have launched a criminal investigation into Facebook’s practice of sharing users’ data with other companies. In December last year, the social platform was accused of “cutting special deals with some advertisers to give them more access to data.” 

Last year, the company admitted that the data of up to 87 million people worldwide was harvested by political consulting company Cambridge Analytica via an academic researcher’s personality prediction app. 

Related: Mark Zuckerberg Describes a New Privacy-Centric Facebook

Related: Facebook Says ‘Clear History’ Feature Ready This Year

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...