The passwords of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees, according to a report.
The passwords were unencrypted and were accessible to as many as 20,000 Facebook employees and dated back as early as 2012, cybersecurity blog KrebsOnSecurity, which first reported the security misstep.
Facebook has confirmed the issue and discovered it in January during a “routine security review.”
The company acknowledged that a bug in its password management systems had caused hundreds of millions of user passwords for Facebook, Facebook Lite, and Instagram to be stored as plaintext in an internal platform.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company wrote in a blog post.
Facebook says the issue has been resolved and it will alert “hundreds of millions” of people whose passwords were visible. Krebs on Security reported that the number of visible passwords belonged to between 200 million and 600 million users.
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity,” the company said.
The company has also reportedly set up a small task force to conduct a broad-based review of anywhere this might be happening. It said that it would enforce a password re-set if its taskforce looking into the issue uncovered abuse of the login credentials.
This is the latest in a string of bad security issues for Facebook. Last year, a hacker was able to access personal information from 29 million accounts after stealing login tokens. And earlier the company was implicated in the wide-scale improper data sharing issues that involved Cambridge Analytica.