Facebook announced Thursday that the company stored hundreds of millions of passwords in plain text, allowing employees to read user passwords. The company said it discovered the security problem in January while conducting a review.
Facebook acknowledged the security failure in a press release, saying that users whose passwords had been stored in a readable format would be notified.
"These passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," the company wrote. "We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity."
When asked by Newsweek why the company had not publicized the security concerns in January, a spokesperson said, "We initially found some passwords as part of a routine security review in January, which prompted us to conduct a more in-depth security review across our platforms to look for similar issues. Given that these passwords were stored incidentally across a variety of systems and under particular circumstances, this has taken us some time to complete."
Facebook wrote that it changes the passwords of users, altering plain text into a string of random characters.
The company announcement followed a report from security researcher Brian Krebs, who wrote that between 200,000 and 600,000 Facebook users had their passwords stored in plain text as early as 2012, citing an anonymous source from Facebook.
Krebs also said that the passwords could have been searched by 20,000 employees.
Newsweek reached out to the computer science and artificial intelligence lab at MIT for comment on the risk of the security breach and whether users should change their passwords but had not heard back by time of publication.
Facebook offered information instructing users how to change passwords for Instagram and Facebook and recommended setting up two-factor authentication. However, the company did not advise users do so.
The news of the internal password exposure follow recent news reports that have shaken public faith in Facebook.
Last year, Facebook CEO Mark Zuckerberg testified before Congress over the Cambridge Analytica scandal. About 87 million Facebook users had their data improperly collected by the now-defunct political consulting firm.
