The passwords of between 200 million and 600 million Facebook users were stored in plain text and searchable by thousands of Facebook employees for years, according to reports.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Facebook said in a statement. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
One unnamed source at Facebook said the company is still trying to figure out what was exposed and for how long, but that the problem could go back to 2012.
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” in terms of estimating the number of users affected, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
Facebook said no one outside the company had access to the passwords.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company said. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.”
Facebook software engineer Scott Renfro said in the report that no password resets would be required.
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”