Facebook employees had unfettered access to hundreds of millions of users’ unencrypted passwords for years

Facebook co-founder, Chairman and CEO Mark Zuckerberg. Chip Somodevilla/Getty Images
  • Facebook employees had access to hundreds of millions of users’ passwords – for years.
  • Users’ passwords were being stored in an unencrypted format and were said to be accessible by 20,000 workers at the company.
  • Facebook says it hasn’t found any evidence of misuse of the data.
  • It’s the latest privacy scandal to hit the besieged tech firm.

Facebook stored hundreds of millions of users’ passwords in a format easily readable by its employees for years, in the latest security scandal to hit the beleaguered Silicon Valley tech giant.

The cybersecurity journalist Brian Krebs first reported the news on Thursday, and Facebook subsequently confirmed it in a blog post titled “Keeping Passwords Secure.”

Digital security best practices call for passwords to be stored in an encrypted format – making them unreadable even by the companies that hold them. But in Facebook’s case, they were stored in plain text, meaning that anyone with access to the file could read users’ passwords with no additional steps required. According to Krebs, more than 20,000 employees had access to those passwords.

It’s not clear exactly how many people were affected, but Facebook says it plans to notify “hundreds of millions” of affected users of Facebook Lite (the company’s lightweight app for emerging markets), “tens of millions” of regular Facebook users, and “tens of thousands” of Instagram users. Krebs reports that the total number is between 200 million and 600 million.

Facebook said that it had “found no evidence anyone internally abused or improperly accessed” the password data and that the issue was discovered during a “routine security review” in January. Krebs said the issue existed as far back as 2012.

The incident is the newest in a long line of serious scandals and crises to wrack Facebook over the past two years – many of which have been security- or privacy-related. That includes the Cambridge Analytica scandal as well as a hack of tens of millions of users’ personal data.

Do you work at Facebook? Contact this reporter via Signal at +1 (650) 636-6268 using a non-work phone, email at [email protected], Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only please.) You can also contact Business Insider securely via SecureDrop.

Now read: