Facebook is once again at the center of a new data protection controversy: The passwords of "hundreds of millions" of users were stored in plain text. This time, Instagram users are also affected by the latest security incidents. Overall, between 200 and 600 million Facebook and Instagram users could be affected.
Although the social media company did not specify which component or application on its website caused the error, Facebook announced that the company discovered the security flaw in January of this year during a routine security audit.
In a blog post published on March 21, Pedro Canahuati, Vice President of Engineering at Facebook, said that an internal investigation into the incident found no evidence that Facebook employees misused these passwords. However, around 20,000 employees had access to the passwords! The plain-text passwords were, however, allegedly not viewable by people outside the company.
Canahuati did not mention the exact number of users affected by the malfunction but confirmed that the company would immediately begin notifying "hundreds of millions of affected Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users."
Facebook has therefore fixed the problem and now recommends changing Facebook and Instagram passwords immediately.
Furthermore, all Facebook and Instagram users are still strongly advised to use two-factor authentication and the login alert feature. In general, it is also recommended to use secure VPN software and a password manager.
This incident confirms once again: Use a unique password for each service and each website! Also, consider our tips for secure passwords…
So, another security incident at Facebook. In October last year, Facebook already had to admit that hackers were able to access personal data from 29 million Facebook accounts using secret access tokens.
But Facebook is not the only company that has stored hundreds of millions of its users' passwords in plain text. Twitter also had to admit a similar security incident last year. At Twitter, passwords of around 330 million users were unintentionally stored in plain text on internal computer systems.
