It’s difficult to summarize all of Facebook’s privacy, misuse, and security missteps in one neat description. Hundreds of millions of Facebook users’ passwords were stored in plain text, totally searchable by Facebook employees for years.
According to a report by Krebs on Security, Facebook acknowledged a bug in its password management systems that caused hundreds of millions of user passwords for Facebook, Facebook Lite, and Instagram to be stored as plaintext in an internal platform.
The investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.
Most of the passwords were exposed back in 2012.
Shortly after KrebsOnSecurity published its story, Facebook posted its own statement by its vice president of engineering, security and privacy, Pedro Canahuati. He states that the company first discovered the issue during “a routine security review in January.”
Facebook claims that no one outside of the company was able to view the passwords and that it has found no evidence that anyone working at the social network “abused or improperly accessed them.” According to KrebsOnSecurity’s source, around 2,000 engineers or developers queried data that contained plain text passwords approximately 9 million times.
In September last year, it said information on 50 million users had been exposed by a security flaw.
And earlier in 2018 it revealed that data on millions of users had been harvested by data science company Cambridge Analytica.
But whether you get a password notification from Facebook or not, you might as well go ahead and change it as a precaution.
To do so on Facebook desktop, go to Settings → Security and Login → Change Password. On Facebook for iOS and Android, go to Settings & Privacy → Settings → Security and Login → Change Password. On Facebook Lite for Android, go to Settings → Security and Login → Change Password. Changing your account password on either main Facebook or Facebook Lite changes it for both.
On Instagram, go to Settings → Privacy and Security → Password to change your password. Instagram and Facebook do not use the same password, but can be linked to log into one with the other.
Facebook is not forcing affected users to change their passwords at this time.