600 Million Facebook Users' Passwords Stored Internally In Plain Text


Facebook is said to have stored up to 600 million user account passwords without encryption and viewable as plain text to its tens of thousands of employees, according to a report by cybersecurity journalist Brian Krebs.

Facebook confirmed this report on a blog post, as the social giant experienced its shares to drop a little less than 1 percent.

"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable."

"We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."


Facebook's blog post didn't say how many users were affected. But according to Krebs' report, the incident can be dated back to as early as 2012.

A Facebook software engineer was quoted by Krebs as saying so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.

"We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data," said the source.

"In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse."

The 600 million users represents a huge portion of Facebook's 2.7 billion people user base. The company said that it planned to start notifying those affected so they could change their passwords.

In a written statement from Facebook to KrebsOnSecurity, the company expects to notify "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users."

While no passwords were exposed externally and Facebook found no evidence of abuse, the social media has given some tips for users to keep their accounts safe:

  1. They can change their password in the settings on Facebook and Instagram. Avoid reusing passwords across different services.
  2. Choosing strong and complex passwords for all accounts. Password manager apps can help.
  3. Consider enabling a security key or two-factor authentication to protect their Facebook account using codes from a third party authentication app.

Facebook has been under heavy scrutiny due to several years of privacy and security scandals that have given the company criticism from users and inquiries and fines, particularly in the European Union.

But Facebook's series of mishaps haven't significantly dented the company's revenue and daily active users, which rose last quarter despite an extended social media campaign by Facebook critics, that included high profile figures, encouraging privacy-minded users to delete their accounts.

(Update on April 18, 2019): Since Facebook announced the news, it later discovered "additional logs of Instagram passwords being stored in a readable format", saying that this issue impacted millions of Instagram users, not just "tens of thousands" like previously mentioned.