April 18, 2019: Updated to add new information about how many Instagram user passwords were exposed internally at Facebook.
Facebook confirmed March 21 that hundreds of millions of user passwords were being stored in a “readable format” within its servers, accessible to internal Facebook employees—including millions more Instagram users than previously thought. Affected users will be notified, Facebook said, so they can change those passwords.
Interestingly, Facebook downplayed and confirmed the problem in the same post, filed in late March, after researcher Brian Krebs issued his own report. Facebook’s Pedro Canahuati, vice president of engineering for security and privacy, initially referred to “some” user passwords that were accessible to Facebook employees. A paragraph later, he revealed that “hundreds of millions of Facebook Lite users, millions of Facebook users, and tens of thousands of Instagram users” would be notified.
As of April 18, Facebook said it had also discovered significantly more Instagram passwords were exposed. “We now estimate that this issue impacted millions of Instagram users,” Facebook wrote. “We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”
(Facebook Lite was launched in 2009, initially in the U.S. and India, as a simplified version of Facebook accessible to those without access to high-bandwidth internet services. It has since been pushed to many other countries. The vast majority of U.S. users use the full version of Facebook.)
Facebook said that the issue is an internal one. “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati wrote.
Facebook also discovered issues with how it stored information for things like access tokens, and fixed them. “There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” Canahuati wrote.
Researcher: 20,000 employees had access
Krebs paints a different story. Though Krebs stressed that he had no information that Facebook employees had abused their ability to read user passwords, a source told him that employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
In total, between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees, dating back to 2012, Krebs wrote.
Somewhat oddly, a Facebook engineer named Scott Renfro told Krebs, “What we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this.”
Facebook has already had to deal with scandals that include the aftermath of a terrorist in New Zealand livestreaming his attack on a Christchurch mosque on Facebook Live, and changes made to its advertising policies to prevent discrimination in housing and credit advertising. And those were just the last two days.
What this means to you: Whether there was risk or not, if you’re notified by Facebook that your password may have been seen by Facebook employees, change it. Whether you want to continue to doing business with Facebook is up to you; if you’d like to delete Facebook, disable it, or just limit your account, here’s our guide to do so. And if you’re concerned about passwords, why not use a password manager? Here are the best password managers you can buy.
This story was updated on April 18 to reflect that more Instagram user passwords were exposed than originally reported by Facebook.