On Thursday, the social network said it found that millions of Instagram passwords had been stored in plain text, an insecure format that would allow the tech giant's employees to read them if they wanted to. The new figure is orders of magnitude greater than an initial estimate of tens of thousands of unsecured passwords that was revealed in March.
The news, which was overshadowed but not obscured by the release of the Mueller report, followed an article saying that Facebook, Instagram's parent company, had "unintentionally" harvested the email contacts of about 1.5 million of its users over the past three years. The activity was discovered when a security researcher noticed Facebook asking users to enter their email passwords to verify their identities when signing up for accounts, according to Business Insider, which previously reported on the practice. Those who entered their passwords saw a pop-up message saying Facebook was "importing" their contacts, even though the service hadn't asked permission, according to BI.
The incidents mark just the latest in a raft of bad news for the social media giant, which is struggling to fight the perception that it can't grasph the concept of protecting your information. Facebook has made a pitch to lean more into privacy and messaging, but continues to be plagued by one screw-up after another.
Facebook acknowledged both lapses.
"We will be notifying these users as we did the others," Pedro Canahuati, Facebook's vice president of engineering, security and privacy, said of the unsecured Instagram passwords by updating a month-old blog post. "Our investigation has determined that these stored passwords were not internally abused or improperly accessed."
Facebook typically hashes and encrypts passwords so that even its own employees can't see them. That helps ensure that user passwords are protected. The company discovered that hundreds of millions of passwords were stored in plain text after a routine security review in January.
Separately, a Facebook spokesperson confirmed that 1.5 million people's contacts had been collected without users giving permission since May 2016.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," a Facebook spokesperson said. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.
"We've fixed the underlying issue and are notifying people whose contacts were imported," Facebook said, adding that the contacts weren't shared with anyone and are being deleted. It also pointed out that users can review and manage the contacts they share with Facebook in their settings.
Facebook is also notifying hundreds of millions of Facebook Lite users and tens of millions of other Facebook users who had their passwords exposed internally.
As the world's largest social network, Facebook controls data on more than 2 billion people, and who has access to it. The company's data-handling practices were called into question in the wake of the Cambridge Analytica scandal, during which the personal information on up to 87 million Facebook users was improperly accessed.