Facebook exposed “millions” of Instagram passwords in plain text
In yet another shocking admission by Facebook, the company said that not “tens of thousands” but “millions” of Instagram users were actually affected by the password leak that happened last month.
Back then, Facebook had announced in a blog post dated March 21, 2019 that passwords were left in a “readable format”, which allowed at least 2,000 Facebook engineers and developers with access to the company’s internal systems to view the actual plain text passwords.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution will be notifying everyone whose passwords we found stored this way,” wrote Pedro Canahuati, Vice President, Engineering, Security and Privacy at Facebook.
Facebook had estimated that hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users were affected by the password leak.
However, on April 18, 2019, Facebook quietly updated the above blog post to revise the number of affected Instagram users from “tens of thousands” to “millions”.
“We discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others,” said the social networking giant in an update. However, the company did not mention how many millions of accounts were impacted by the breach.
The company also says that the stored passwords were not internally abused or improperly accessed by their employees. “This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way,” a Facebook spokesperson said in a statement.
While Facebook is not recommending users to change their passwords, it is, however, advisable to have the passwords changed for your own safety, considering the company’s long history of breaching user’s privacy and security.