Facebook Stored Hundreds of Millions of Passwords in Text Employees Could Access

It's time to change your Facebook password. The social media platform reportedly stored passwords for hundreds of millions of users in plain text for years, exposing them to anyone who had internal access to the files, according to Krebs on Security.

User passwords are typically protected with encryption, but a string of errors led certain Facebook-branded apps to leave passwords accessible to as many as 20,000 company employees, a senior Facebook employee told Krebs.

Between 200 million and 600 million Facebook users are believed to have been affected, Krebs reports. Facebook confirmed the issue in a blog post titled "Keeping Passwords Secure," adding that the company identified the problem in January during a security review. The social media giant said it fixed the issue and will notify everyone affected.

The company also said there is no evidence that plain text passwords were exposed outside of the company or abused internally, which means users affected will not be required to reset their passwords.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Facebook software engineer Scott Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

The issue impacted “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company says. Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.


While the company says there is no evidence of abuse, at least 2,000 Facebook employees searched through the files containing passwords; it's not clear why. The password logging reportedly started as early as 2012.

The password woes come at a tough time for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with large tech companies.