Facebook on Thursday revealed that during a routine security review in January, it was discovered that some user passwords were being stored internally in plain text format. The social network said the passwords were never visible to anyone outside its walls and that there is no evidence that any Facebook employees improperly accessed them.
Facebook has since fixed the issue and as a precaution, will be notifying impacted users.
A senior Facebook employee tells KrebsOnSecurity that the investigation thus far suggests between 200 million and 600 million users may have had their passwords stored in plain text. Worse yet, they were technically accessible by more than 20,000 Facebook employees with some archives dating back to 2012.
In its official statement, Facebook estimated they would be notifying “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users.” Facebook Lite is a version of the social network optimized for slower Internet connections.
This isn’t the first time Facebook’s sketchy privacy practices have been called into question this month. A few weeks back, it was revealed that phone numbers submitted for two-factor authentication purposes could be used to look up users on the social network.