Facebook has revealed it stored passwords for hundreds of millions of users in plain text, likely since 2012.
That means it exposed those users for years to anyone who had internal access to the files. "These passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," explained Facebook.
According to Krebs on Security, which first reported the security fail, up to 600 million Facebook users had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. Facebook has not confirmed these numbers yet, though it did estimate the issue impacted "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users".
In a blog post, called “Keeping Passwords Secure," Facebook said it spotted the problem in January 2019, but it has since fixed the issue and plans to notify everyone whose passwords were found to be stored in plain text. Users won’t be required to reset their passwords, but you might want to anyway (go to Settings > Security and Login > and Click Edit next to Change Password).
This is the latest security issue for Facebook. Last autumn, a hacker accessed personal information from 29 million users after stealing login tokens. And, of course, there's the Cambridge Analytica scandal, which has put an unflattering spotlight on the company over the past year.