Facebook: er, actually it was millions of Instagram passwords we stored in plain text, not thousands
With no fanfare whatsoever, Facebook has revealed that it stored the passwords for millions of Instagram accounts in plain text.
The news came as the company quietly updated a blog post from last month in which it revealed that it had stored hundreds of millions of unencrypted Facebook passwords on its servers. At the time, the company said "tens of thousands" of Instagram users were affected. Revising this figure upwards, Facebook says: "We now estimate that this issue impacted millions of Instagram users".
- Privacy: Facebook 'unintentionally' scraped and uploaded 1.5 million users' email contacts
- Data of 540 million Facebook users exposed in latest privacy cock-up
- Facebook stored millions of users' passwords in searchable plain text for years
Facebook remains insistent that there is no evidence that any of the passwords have been accessed or misused, but the incident does nothing to improve the company's poor reputation when it comes to security and privacy. The company has been criticized for the way in which it has disseminated the new information about the number of Instagram accounts that are affected. As well as making no announcement about the blog post update, Facebook also timed the update to coincide with the release of the Mueller report on Trump and Russian election interference.
In a paragraph added to the original Keeping Passwords Secure blog post, Facebook says:
Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.
A spokesperson for the company said the passwords had not fallen into the wrong hands: "This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way. There is no evidence of abuse or misuse of these passwords".