Report: Facebook stored 200-600 million user passwords in plain text for years

Facebook is investigating whether employees may have stored hundreds of millions of user passwords in unencrypted plain text dating as far back as 2012, according to a report by security researcher KrebsOnSecurity.

Citing an anonymous senior Facebook employee, Krebs reports the passwords may have been searchable by more than 20,000 employees of the social media giant, whose data practices have been called into scrutiny repeatedly in recent months.

Facebook has declined to speak on any specific numbers yet, but Krebs' investigation so far has determined that anywhere from 200-600 million users may have been affected.

Scott Renfro, a software engineer at Facebook, told Krebs the issue first came to Facebook's attention in January, when engineers reviewing new code noticed passwords were being logged in plain text. “This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening,” he said.

Facebook addressed the matter in a blog post saying it plans to alert users today, but said no precautions like resetting passwords would be necessary.

In the company blog, Pedro Canahuati, VP Engineering and Privacy at Facebook said, "To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity."

The severity of this issue is very much still unknown; however, it shines a light on the continued challenge for major tech companies like Facebook in keeping users' data secure.