Back in March, Facebook announced that millions of Facebook passwords were stored on its servers in plain text with no encryption. At the time, Facebook also said that “tens of thousands” of Instagram passwords were also stored in the same unencrypted format, but as it turns out, the actual number was much, much higher.
In an update to its original blog post, Facebook now says that millions of Instagram passwords were stored on its servers in a readable format.
Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.
These unencrypted, plain text passwords were accessible to thousands of Facebook employees, and while Facebook says that there’s no “evidence to date” that anyone within Facebook abused or improperly accessed the passwords, it’s highly concerning.
Instagram user names, unlike Facebook usernames, can be highly appealing to thieves. Short names can sell for quite a lot of money, which makes Instagram passwords rather valuable.
Facebook was not forthcoming about the discovery of additional impacted Instagram accounts, burying it in a month-old blog post and, as Recode points out, releasing the update just before the Mueller report came out and media sites were distracted.
Facebook will be notifying Instagram users whose passwords were improperly stored, and Instagram users who are concerned about their accounts should change their passwords and make sure two-factor authentication is enabled.
Facebook’s latest security leak comes just a day after news spread that Facebook harvested the email contacts of 1.5 million Facebook users without their consent and used the data to build a web of social connections.
Earlier this week, a scathing report also outlined how Facebook leveraged user data to punish its rivals and reward companies who paid heavily into Facebook advertising and shared data of their own.