Image: © depositphotos.com/petrkurgan
In March 2019, Facebook revealed that millions of user passwords were stored in plain text within the company’s internal data systems.
In a statement about the issue, Facebook claims that nobody outside of the company had access to the plain text passwords. It also notes that there is as yet no evidence to indicate that the passwords were improperly accessed or used by Facebook staff members.
The statement notes in part:
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.
To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
You can read Facebook’s full statement here.
Internet security blog Krebs on Security offers a more detailed analysis of the issue.