OPEN IN APP

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.

Hundreds of millions of passwords were stored in plain text on Facebook.

Angela Lang / CNET

Hundreds of millions of passwords were an open book on Facebook's internal servers.

An internal investigation at Facebook in January found that all those passwords were stored in plain text, meaning it was possible for the social network's employees to easily come across and potentially abuse the login credentials. 

The company found "no evidence to date" that any staffers improperly accessed those passwords, Pedro Canahuati, Facebook's vice president of engineering, security and privacy, said in a blog post Thursday.

The internal investigation was first reported by Krebs on Security.

Facebook said it will be notifying hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users. The company said it first discovered the problem as part of a routine security review in January.

Facebook has more than 2.3 billion monthly users, and Instagram has more than 1 billion.

Video: Keep your data secure with a password manager


When reached for comment, a Facebook spokesperson referred to the blog post.

"This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable," Canahuati said in the blog post. "We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."

Security standards recommend that companies encrypt passwords when they store them, so that employees and potential attackers don't have access to a treasure trove of login credentials. 

Facebook said it hashes and encrypts passwords, but it's unclear how hundreds of millions of accounts had their passwords in plain text on internal company servers. It is still investigating the cause. 

The social media giant isn't alone in this sort of security shortfall. Last May, Twitter advised 330 million users to change their passwords after discovering a bug that stored them in plain text on its internal logs. Github had a similar flub revealed last May. 

First published March 21 at 8:49 a.m. PT.
Update at 9:13 a.m. PT: Added details on Facebook's internal investigation.


Read More:

The Best Identity Theft Monitoring Services for 2019

The Best Password Managers for 2019

Comments

Tags

DIY Tech

How to tips and tricks for getting the most out of all your tech delivered to your inbox.

Tech Today

Video: Viral FaceApp facing scrutiny, YouTube cracking down on stream-ripping

More From Security

More From CNET