Facebook really doesn't seem to understand privacy or security

Facebook is having a bad security day. How bad? Tens of millions of Instagram passwords have been exposed.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Queenie Wong
Steven Musil
3 min read
Padlock on computer keyboard.

Another day, another Facebook privacy problem.

Angela Lang/CNET

Facebook's reputation for privacy protection, already much maligned, just took two more critical hits. 

On Thursday, the social network said it found that millions of Instagram passwords had been stored in plain text, an insecure format that would allow the tech giant's employees to read them if they wanted to. The new figure is orders of magnitude greater than an initial estimate of tens of thousands of unsecured passwords that was revealed in March.

The news, which was overshadowed but not obscured by the release of the Mueller report, followed an article saying that Facebook, Instagram's parent company, had "unintentionally" harvested the email contacts of about 1.5 million of its users over the past three years. The activity was discovered when a security researcher noticed Facebook asking users to enter their email passwords to verify their identities when signing up for accounts, according to Business Insider, which previously reported on the practice. Those who entered their passwords saw a pop-up message saying Facebook was "importing" their contacts, even though the service hadn't asked permission, according to BI.

The incidents mark just the latest in a raft of bad news for the social media giant, which is struggling to fight the perception that it can't grasph the concept of protecting your information. Facebook has made a pitch to lean more into privacy and messaging, but continues to be plagued by one screw-up after another. 

Facebook acknowledged both lapses.

"We will be notifying these users as we did the others," Pedro Canahuati, Facebook's vice president of engineering, security and privacy, said of the unsecured Instagram passwords by updating a month-old blog post. "Our investigation has determined that these stored passwords were not internally abused or improperly accessed."

Watch this: Yes, Facebook is still tracking you (The 3:59, Ep. 541)

Facebook typically hashes and encrypts passwords so that even its own employees can't see them. That helps ensure that user passwords are protected. The company discovered that hundreds of millions of passwords were stored in plain text after a routine security review in January.

Separately, a Facebook spokesperson confirmed that 1.5 million people's contacts had been collected without users giving permission since May 2016.

"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," a Facebook spokesperson said. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.

"We've fixed the underlying issue and are notifying people whose contacts were imported," Facebook said, adding that the contacts weren't shared with anyone and are being deleted. It also pointed out that users can review and manage the contacts they share with Facebook in their settings.

Facebook is also notifying hundreds of millions of Facebook Lite users and tens of millions of other Facebook users who had their passwords exposed internally.

As the world's largest social network, Facebook controls data on more than 2 billion people, and who has access to it. The company's data-handling practices were called into question in the wake of the Cambridge Analytica scandal, during which the personal information on up to 87 million Facebook users was improperly accessed.