Facebook previously said it stored ‘tens of thousands’ of unencrypted Instagram passwords on its internal servers, but it was actually millions.
Facebook on Thursday revealed that it accidentally stored “millions” of Instagram user passwords in plain text.
The disclosure comes a month after it admitted to accidentally storing “hundreds of millions” of unencrypted user passwords on the social network’s internal servers. At the time, Facebook said the problem only affected “tens of thousands” of Instagram users. But it was wrong.
“We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others,” Facebook said in an update to its original post on the incident.
How many users were affected isn’t clear. The company told PCMag it doesn’t have precise numbers to share. “This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way,” a Facebook spokesperson said in an email.
According to Facebook, the company has uncovered no evidence of abuse or leaks with the stored credentials. Still, it’s a good idea for affected users to change their passwords to stay safe.
Under the best security practices, companies should be storing passwords not in plain text, but through a method called hashing, which can effectively scramble the sensitive data into an unreadable format. So in the event a breach occurs, the hashing can prevent, or at least delay, a hacker from quickly exploiting the data.
So far, Facebook hasn’t revealed how long it had been storing the Instagram passwords in plain text, what caused it, or how many employees may have had access to the information.
For added protection, Instagram users can consider activating two-factor authentication on their account, which will prevent unauthorized logins in the event a hacker successfully guesses or steals their password.