Facebook on Thursday acknowledged that hundreds of millions of user passwords were stored in a readable format in its internal data storage system and that the glitch has now been fixed. The company said the passwords were not visible to anyone outside the company and claimed it did not find any evidence of access being abused.
Facebook issued a statement after a blog, KrebsonSecurity, reported that hundreds of millions of account passwords were stored in plain text and searchable by over 20,000 Facebook employees. The post reported that passwords dating back to 2012 were stored in readable text.
KrebsOnSecurity is a blog that covers computer security and cybercrime.
Facebook said it had found the issue during a routine security review in January. “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” said Pedro Canahuati, vice president of engineering, security and privacy.
Facebook said “hundreds of millions” of accounts that were affected used Facebook Lite, a version of the social media platform used in regions with slower connectivity. It said “tens of millions” of other Facebook users, and “tens of thousands” of Instagram users were also affected.
According to KrebsonSecurity, a Facebook source said between 200 million and 600 million Facebook users may have had their account passwords stored in plain text.
In September, Facebook said it had discovered a security breach that has affected about 50 million users.