Facebook has made a low key revelation that it stored the passwords for millions of Instagram users accounts in plain text on its internal servers.
The tech giant made the admission in a blog post from several weeks ago which has now been edited to reveal the enormous scope of the exposure.
Originally Facebook claimed it was ‘tens of thousands’ of user passwords but recently conceded that amount was in the millions.
On top of being stored in plain text, passwords were also searchable by thousands of Facebook employees.
Facebook maintains that there is no evidence of the passwords being abused or disseminated outside of the company.
The social media company says the issue came to light in January 2019, prompting an in-depth investigation into the issue.
In their blog post Facebook said: “These passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.
“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse. “
After their original post Facebook discovered the scope of the passwords logged in plain text was far greater than original estimates.
The updated post read: “Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”
Facebook insists that no malicious actions have been linked to the security breach.
“This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way. There is no evidence of abuse or misuse of these passwords.”