Facebook has admitted hundreds of millions of its users’ passwords were stored in plain text and able to be accessed by its employees.
In a blog post, Pedro Canahuati, VP Engineering, Security and Privacy at Facebook said the company has fixed the issues and will be notifying those users whose passwords were incorrectly stored.
He said, “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
The social media giant assured users that no one outside of the company saw these passwords and there is no evidence that anyone internally abused or improperly accessed them.
The company found the problem through a routine security review.
This is yet another blow to the social networking giant which has already developed a sketchy privacy reputation as it battles the aftermath of the Cambridge Analytica scandal.
Canahuati said the company has been looking at the ways it stores certain other categories of information, for example, access tokens and have fixed problems as they have discovered them.
According to the Wall Street Journal, the exposure was reported by krebsonsecurity.com overnight.
Canahuati explained Facebook masks people passwords when they create an account so that no one at the company can see them.
He said, “In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.”
The social media giant has been called out over the way it handled the live stream of the Christchurch shootings with outlets reporting the original video was on Facebook for an hour before it was pulled down.