Facebook passwords of around 600 million users were stored on the company’s servers in plain text, according to a KrebsonSecurity report, which quotes a senior Facebook employee. The passwords were searchable by over 20,000 Facebook employees, the report adds.
The inquiry so far has revealed archives of user passwords in plain text dating back to 2012, though Facebook’s investigation still seems underway. Facebook denied in a blog post that the passwords were visible to anyone outside of the company or abused or improperly accessed by its employees.
The issue was first flagged in January 2019 by the company’s security engineers, Facebook software engineer Scott Renfro told KrebsonSecurity. “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Facebook said in the post.
Meanwhile, Facebook has said that it has fixed the issue and it will be notifying everyone whose passwords have been stored in plain text.
The company said it estimates to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Though it did not give out exact numbers of users whose passwords were exposed, the report puts it between 200 million to 600 million.
Facebook and Instagram users are advised to change their passwords, even though Facebook insists that no there was no evidence of abuse of exposed passwords. Two-factor authentication is also recommended as it adds an extra layer of security. The feature requires users to enter a code every time they log in to their account.