Facebook reported a security lapse last month in which it claims that “tens of thousands” of Instagram users’ passwords were stored in plain text and people who had access to certain internal systems could view them. The company has quietly revised the figure upwards considerably. It now says that “millions” of Instagram users’ passwords were stored in plain text in addition to “hundreds of millions of Facebook Lite users” and “tens of millions of other Facebook users.”
Passwords are normally stored in an encrypted format which enable the website to confirm that the accurate password has been entered without actually reading it. However, various errors in Facebook’s systems caused them to store passwords in plain text since 2012.
The company has said in March that it has addressed the issue. The passwords that were stored in plain text on Facebook’s servers were accessible to over 20,000 employees. Facebook says that it has investigated the access to the passwords and finds “no evidence of abuse or misuse.”
It points out that none of the passwords were exposed externally. “This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way,” a Facebook spokesperson said in a statement.