Earlier in March, Facebook says that millions of users’ passwords were stored on its servers in plaintext and that has been going on for a period of seven full years.
While the social media giant was quick to clarify that there were no signs of misuse of this confidential data, the revelation came just a week after it was confirmed that Facebook is under a federal criminal investigation over their data sharing practices.
When this incident unfolded, Facebook initially said that tens of thousands of Instagram users’ passwords were also stored in the same unencrypted format. However, as it turns out, the real figure was in the millions.
While updating their original blog post, Facebook now confirms that not thousands but millions of Instagram passwords were stored on its servers in a readable format. Here’s Facebook said:
“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”
These unencrypted, plaintext passwords were openly available to thousands of Facebook employees. If it brings you any solace, Facebook, in its efforts to gain ‘trust’ says that there’s no “evidence to date” that someone within Facebook misused or wrongly accessed the passwords.
Moreover, since the passwords were stored on internal servers, no outsiders had access to them, according to Facebook. Critics believe that Facebook knew of this incident from the beginning and waited for the right time to share the real numbers with the world.
Anyhow, what better time to release the update than now? After all, the Mueller report comes out soon, and the media seem to be preoccupied. Facebook says that it will be informing Instagram users whose passwords were improperly stored.
Additionally, it recommends that Instagram users who are concerned about the privacy of their accounts should change passwords right away and make sure two-factor authentication is enabled.