March 21, 2019
Facebook announced Thursday that millions of user passwords were left readable for its employees for years, violating fundamental computer-security practices.
The acknowledgment came after one security researcher exposed the matter, claiming that millions of Facebook users' passwords had been stored in plain text, therefore searchable by Facebook employees. Typical security standards for websites call for passwords to be in a scrambled form, making the original text impossible to recovery.
Despite this, Facebook reports no evidence suggesting that any of its thousands of employees abused this ability. The passwords, stored on internal company servers, were not available outside the organization.
Facebook has about 2.2 billion users worldwide.
In a blog post published Thursday, "Keeping Passwords Secure," Facebook laid out how it secures accounts and protects passwords. Facebook said it will likely notify millions of Facebook and Instagram users that their passwords were stored in plain text.
Facebook said it discovered the problem in January, but research has seen passwords stored in plain text as far back as 2012. Facebook bought Instagram that year as well.
Because Facebook is still investigating, there is not yet any way to tell whether someone had access to your account. While Facebook is not requiring members to change passwords, the network -- and cybersecurity experts -- are strongly encouraging users to do so.