Skip to main content

Facebook stored millions of Instagram passwords in plain text

Facebook stored millions of Instagram passwords in plain text

/

A lot more than initially stated

Share this story

Illustration by Alex Castro / The Verge

Facebook says it stored millions of Instagram users’ passwords in plain text, leaving them exposed to people with access to certain internal systems. The security lapse was first reported last month, but at the time, Facebook said it only happened to “tens of thousands of Instagram users,” whereas the number is now being revised up to “millions.” The issue also affected “hundreds of millions of Facebook Lite users” and “tens of millions of other Facebook users.”

Passwords are supposed to be stored in an encrypted format that allows websites to confirm what you’re entering without directly reading it. But as Krebs on Security first reported, various errors seem to have caused Facebook’s systems to log some passwords in plain text since as early as 2012. Facebook noticed the problem in January and said in March that the issue had been resolved.

“We simply learned there were more passwords stored in this way.”

The passwords were stored within Facebook and were accessible to more than 20,000 employees, according to Krebs. Facebook says it investigated access to the passwords, and that it found “no evidence of abuse or misuse.” It also says no passwords were exposed externally. Facebook doesn’t seem to be actively recommending that people change their passwords.

“This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way,” a Facebook spokesperson said in a statement.

Today’s update just expands the scope of the security lapse. Facebook has had a particularly bad year when it comes to security issues — Cambridge Analytica, a giant hack, another hack — and this news comes the same day that we found out Facebook had been accessing and storing some users’ email contacts without their permission, after encouraging users to hand over their email address passwords. Facebook says it’ll be contacting all the people whose Instagram passwords were improperly stored.