March 22 (UPI) — Facebook stored hundreds of millions of account passwords with no encryption in plain, searchable text where thousands of employees had access to it, the social media giant confirmed Thursday.
Facebook has since fixed the problem, the company said in a statement.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” Facebook said. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
Facebook officials added that “there is nothing more important to us than protecting people’s information.”
Cyber security journalist KrebsonSecurity broke the story Tuesday.
This could affect as many as 600 million users going back to 2012. The social network has 2.7 billion users.
Facebook software engineer Scott Renfro told KrebsonSecurity that no signs of misuse of data have been found and “there was no actual risk that’s come from this.”
Passwords are masked when someone creates an account with a random set of characters so anyone so they aren’t stored in plain sight.
The exposed passwords affect Facebook, Instagram and Facebook Lite, a version of Facebook for areas with slower internet speeds. Facebook will notify affected users. Anyone can change their password at any time.
Twitter and Github admitted to similar password breaches in recent months.
This comes after the New York Times reported federal prosecutors are investigating deals Facebook made with large technology firms. This month, Facebook was also criticized for selling users’ phone numbers to marketing companies so they could spam them.
On March 13, the company had an outage that lasted several hours.