Last month, Facebook admitted that it stored ‘hundreds of millions’ of account passwords in plaintext via its blog post. The company said that the problem affected hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Now, Facebook has updated the blog post to announced that not tens of thousands but millions of Instagram users were affected by the issue. Additionally, the company reiterates its earlier statement that even though the exposed passwords were stored in plaintext, they weren’t abused or accessed improperly. However, it doesn’t describe the basis on which it makes these claims.
“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed,” states the updated Facebook post. There is no detail about how many million users have been affected though. While the company will be notifying the affected users, we suggest our readers to immediately change their passwords.
As mentioned earlier, Facebook acknowledged that it was saving passwords in plaintext from quite some time. While the company claims that these passwords were stored on its internal servers that were accessible by developers and 2,000 engineers, the data was not leaked outside or inappropriately accessed by anyone. However, as we said, there is no proof provided that the passwords weren’t accessed inappropriately.
The latest revelations by Facebook come soon after it said that it “unintentionally” stored email contacts of 1.5 million users who joined the social network since 2016. The company is said to have imported and stored a users’ email contact list on their servers, without proper consent. Facebook said that before 2016, it asked users to provide their email credentials to verify their account and it displayed a notification to users that their email contacts will be collected. However, the company claims that the feature was changed to delete the notification, but email contacts were still being collected.