Facebook admits it stored hundreds of millions of user passwords in plain text

Shawn Knight

TechSpot Staff
Staff member

Facebook on Thursday revealed that during a routine security review in January, it was discovered that some user passwords were being stored internally in plain text format. The social network said the passwords were never visible to anyone outside its walls and that there is no evidence that any Facebook employees improperly accessed them.

Facebook has since fixed the issue and as a precaution, will be notifying impacted users.

A senior Facebook employee tells KrebsOnSecurity that the investigation thus far suggests between 200 million and 600 million users may have had their passwords stored in plain text. Worse yet, they were technically accessible by more than 20,000 Facebook employees with some archives dating back to 2012.

In its official statement, Facebook estimated they would be notifying “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users.” Facebook Lite is a version of the social network optimized for slower Internet connections.

This isn’t the first time Facebook’s sketchy privacy practices have been called into question this month. A few weeks back, it was revealed that phone numbers submitted for two-factor authentication purposes could be used to look up users on the social network.

Permalink to story.

Last edited by a moderator:


TS Enthusiast
Unbelievable! Who in their right state of mind would download from database so many millions passwords and make it accessible for everyone?! This is worse then ridiculous. Facebook should fire everyone that knew about this.


TS Evangelist
This is really why 2-factor authentication is an advantage.
someone may know your login credentials but still cannot log because of added security.
...unless that person also has your smartphone. ;)


TS Ambassador
The details are important here.

While it is TRUE that passwords were stored in plain text on the disk,

it is NOT TRUE that they were accessible from the internet.
Only persons with accounts internal to FB could have seen/access the data.

It certainly shows a total disrespect for security by FB and its staff -- after all, the guys/gals that did the work should have known better and said something.
  • Like
Reactions: Darth Shiv


TS Evangelist
That's why I used two factor auth in Facebook. Then I deleted my account altogether... Too much information on their hands... Google already have enough of it.