Facebook left ‘hundreds of millions’ of passwords unsecured

Facebook announced on Thursday that “hundreds of millions” of users’ passwords had been stored in unprotected plain text accessible by the company’s employees.

In a blog post titled “Keeping Passwords Secure,” the social media giant said it had found no reason to believe the trove of passwords had been abused by its workers or accessed by anyone outside the company.

“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” Pedro Canahuati, the company’s vice president for engineering security and privacy, wrote in the post.

Facebook did not specify exactly how many users were affected by the password exposure, but said the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a service for users who lack access to strong internet connections.

Brian Krebs, a well-regarded cybersecurity journalist who first reported the news, reported Thursday that an internal investigation has found that anywhere between 200 million and 600 million users had their passwords exposed in a database that was accessible by more than 20,000 Facebook employees.

According to Krebs, Facebook believes that some of the passwords had been stored in plain text as early as 2012.