Facebook messed up again, confirming that it had stored user unencrypted passwords in a way that let employees easily see them.
The social media giant admitted in a blog post on Thursday that it had stored “hundreds of millions” of user account passwords in plaintext — meaning completely readable and even searchable by a viewer — for several years.
Facebook discovered the blunder back in January as part of a routine security review. The company’s Thursday blog post was apparently a response to an earlier report penned by cybersecurity journalist Brian Krebs, who said the bug stretched back to 2012.
“This caught our attention because our login systems are designed to make passwords using techniques that make them unreadable,” said Facebook’s Pedro Canahuati.
While the passwords were accessible by around 2,000 Facebook employees and developers, the social media company said it found “no evidence” that those employees abused or improperly accessed the logs.
Additionally, it said that none of the passwords were exposed or accessed by any party outside of Facebook.
In the wake of the discovery, Facebook said it will begin notifying impacted users. That includes “hundreds of millions” of Facebook Lite users, “tens of millions” of standard Facebook users, and “tens of thousands” of Instagram users.
Facebook didn’t detail exactly how many users were affected by the mishap, but Krebs indicated in his report that the number could be around 600 million across the company’s various platforms.
It’s also not clear why the passwords were stored in plaintext, which is a serious vulnerability. Companies like Facebook typically use password-scrambling methods to store user login credentials. These allow them to authenticate when a user is logging in without actually seeing their password.
Twitter and GitHub had their own plaintext password debacles last year. But Facebook’s blunder is unique because it’s only the latest in a long string of data scandals, privacy controversies, and security vulnerabilities.
Krebs noted in his report that no password resets would be required when Facebook starts notifying impacted users. Presumably, that’s because it claims that none of the passwords were actually compromised or abused.
On the other hand, if you’ve been using the same Facebook password for at least a couple years or you use the same password for multiple platforms, it’s recommended that you go ahead and change it.