Facebook plans to notify hundreds of millions of users their passwords were stored in an insecure format that could have allowed company employees to access and view login credentials.
An internal investigation has found that between 200 million and 600 million Facebook users may have had their passwords stored in plain text and searchable by more than 20,000 employees, according to KrebsOnSecurity, which first reported the news.
There is no evidence anyone outside Facebook viewed the passwords, the company said in a statement Thursday, adding there’s also nothing to indicate company employees improperly accessed the information.
The company estimated it will notify “hundreds of millions” of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Facebook said. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
In its statement Facebook also says that in the course of its review employees “have been looking at the ways we store certain other categories of information – like access tokens – and have fixed problems as we’ve discovered them.” The company has not elaborated on any such problems.
Facebook has been the subject of ongoing public scrutiny due to a series of security incidents over the past year. The company said in October that some 30 million accounts were affected by a breach of user profiles, revising that number from an earlier report that 50 million accounts had been impacted. That came after the Cambridge Analytica scandal, in which Facebook said it improperly shared information about up to 87 million users with that political consultancy.