Facebook officials admitted on Thursday that the tech giant stored hundreds of millions of user passwords in plain text — able to be read by employees.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Facebook’s vice president of engineering, security and privacy Pedro Canahuati wrote in a post on the company’s website Thursday morning.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” he added. “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
The company did not say why it waited until March to notify users.
We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.
The news was first reported by the cybersecurity journalist Brian Krebs on his blog, Krebs on Security, before Facebook issued its statement. Although the company did not disclose how long the passwords had been insecurely stored, Krebs’ report said the problem existed for years.
The company said the passwords weren’t visible to anyone outside of the company, adding that “we have found no evidence to date that anyone internally abused or improperly accessed them.”
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity,” Canahuati wrote.
Facebook recommends users change their passwords and use two-factor authentication or a security key.