Facebook admitted on Thursday (April 18) that millions of Instagram passwords were available to be seen by employees in a company-wide database, according to a report by CNBC.
The admission is an update to a Facebook blog post released on March 21 stating that millions of Facebook passwords were also viewable by employees. In the original post, Facebook said the exposed Instagram passwords numbered in the thousands.
“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users,” Facebook wrote in the post. “We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”
The original blog post by Facebook was a response to an investigation by cybersecurity reporter Brian Krebs, who discovered that up to 600 million passwords were exposed.
Also on Thursday (April 18), Facebook admitted it might have “unintentionally uploaded” the email contacts of 1.5 million new users since May of 2016, according to a report from Reuters. The company said it stopped offering email password verification as an option for first-time signups in March. However, there were cases of people’s email contacts being uploaded to Facebook when accounts were created.
“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we are deleting them,” Facebook told Reuters.
Another media outlet also reported Facebook had been harvesting email addresses without knowledge or consent. When a user would input an email password, the company would import contacts without asking for permission.
Facebook has been under the microscope of lawmakers around the world for its perceived privacy issues as well as some other concerns, including data ownership and the proliferation of hate speech.
During elections, Facebook was asked by lawmakers to make sure the platform wasn’t being used to spread lies or falsehoods.