Facebook today admitted to have stored the passwords of hundreds of millions of its users in plain text, including the passwords of Facebook Lite, Facebook, and Instagram users.
The social platform says it discovered the mishap as part of a routine security review in January, but that the passwords were stored in a readable format within its internal data storage systems, and that only its employees had access to the data.
The issue has been addressed, and all of the affected users will be notified, Facebook announced.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company says.
The number of impacted users, however, is very large. The social platform estimates that hundreds of millions of people using Facebook Lite, tens of millions of other Facebook users, and tens of thousands of its Instagram users are impacted.
“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,” the company says.
According to security blogger Brian Krebs, Facebook is currently investigating a series of incidents regarding employees who “built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.”
Krebs also says that the passwords of between 200 million and 600 million Facebook users may have been stored in plain text, and that over 20,000 Facebook employees may have been able to search those passwords.
Some of the passwords might have been stored in plain text for seven years, Krebs says.
Facebook, which has been subject to broad criticism last year, after it was revealed that it shared users’ data with other companies without informing the impacted people, says it stores users’ passwords in line with security best practices, masking them so that “no one at the company can see them.”
“With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text,” the company claims.
A report earlier this month revealed that US prosecutors have launched a criminal investigation into Facebook’s practice of sharing users’ data with other companies. In December last year, the social platform was accused of “cutting special deals with some advertisers to give them more access to data.”
Last year, the company admitted that the data of up to 87 million people worldwide was harvested by political consulting company Cambridge Analytica via an academic researcher’s personality prediction app.