On March 21, Facebook revealed in a post that “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” had their passwords stored in an unencrypted, readable format.
That post has now been updated. It states that since its original publication, Facebook discovered additional logs of Instagram passwords being stored in a readable format. No word on how many millions of users were affected. The company said it “will be notifying these users as we did the others.”
Facebook is said to have been storing up to 600 million passwords in plaintext, some for as far back as 2012. Around 2,000 engineers or developers made internal queries using these logs, and while the company insists they were never leaked, storing them in an unencrypted format means they could have been easily abused if hacked.
“This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way. There is no evidence of abuse or misuse of these passwords,” wrote the social network.
The timing of the update is suspect, coming as it did one hour before the Special Counsel’s report into Russian election interference was released and on the eve of a holiday weekend. Facebook claims it only recently discovered the additional Instagram passwords, but it wouldn’t go into specifics.