UPDATED with the disclosure that "millions" of Instagram passwords had been stored in plaintext. This story was originally published March 21, 2019.
Facebook stored the account passwords of "hundreds of millions" of Facebook, Facebook Lite and Instagram users in unencrypted plaintext on its internal servers, where thousands of Facebook employees could have viewed them, the company said today (March 21) in an official Facebook blog posting.
The posting quickly followed a scoop by independent information-security Brian Krebs, who broke the story this morning on his blog. Krebs' source said "between 200 million and 600 million" Facebook users may have had their passwords exposed, and that more than 20,000 Facebook employees would have had access to the passwords.
The silver lining, at least so far, is that there's no evidence that the account passwords left Facebook premises, so to speak. There's probably no need to change your Facebook or Instagram passwords, as long as the passwords are unique and strong. But this is a reminder that you should enable two-factor authentication to safeguard your Facebook account, preferably using an authenticator app or a physical USB security key as the second factor.
"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data," Facebook software engineer Scott Renfro told Krebs.
Facebook, like all other online websites that require user authorization, is supposed to not store passwords in plaintext, but to instead "hash" passwords using a one-way encryption algorithm and to then store the hashed versions.
When you log in with your password, the backend hashes what you type in using the same algorithm, and then compares the resulting hash to the hash the server has on file for you. If the hashes match, you're granted access to the site.
But, um, that didn't quite happen this time. In January, Facebook staffers reviewing code noticed that some Facebook web applications were logging plaintext passwords and storing them on Facebook internal servers, Krebs said. Those applications weren't new, either -- it looked like some of them had been logging passwords unencrypted since 2012.
Since then, an unnamed source within Facebook told Krebs, some 2,000 Facebook staffers made "approximately nine million internal queries" for data that would have contained the user passwords.
Facebook didn't confirm those kinds of numbers in its own blog post, but estimated that it would "notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users" that their passwords had been exposed to Facebook employees.
Facebook Lite is a low-resource version of Facebook designed for slow internet connections and underpowered smartphones.
UPDATE: On April 18, 2019, Facebook updated its original blog post regarding this matter to say that not tens of thousands, but rather "millions" of Instagram passwords had been "stored in a readable format." Facebook said it planned to notify those users, but that none of the had been "abused or improperly accessed."