Facebook stored tens of millions of user passwords in a readable format within its internal data storage systems, the company explained in a Thursday blog post entitled “Keeping Passwords Secure.”
The company told Krebs Security, which first reported the data breach, that its internal investigation has not found evidence that employees abused access to this data. The company said it will notify affected users, which include people who used Facebook Lite, Facebook, and Instagram.
“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,” the company said. “There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.”
An anonymous Facebook source told Krebs Security that anywhere between 200 million and 600 million Facebook users may have had their account passwords stored in plain text, which would have made them accessible to more than 20,000 Facebook employees. The company’s internal investigation has found archives with plain text user passwords stored in them dating back to 2012, the source told Krebs Security.
The disclosure comes weeks after Facebook users complained that there is no opt-out feature to share personal phone numbers stored on the application for security purposes with third party marketers. It is also the latest in a long string of self-inflicted scandals, and screwups that has inspired intense regulatory scrutiny.
The incident could be a violation of the EU’s new General Data Protection Regulation (GDPR), which mandates that companies store passwords securely and notify anyone affected by a privacy breach within 72 hours.
An Irish data protection commissioner, which regulates Facebook in Ireland, told TechCrunch that Facebook has been in contact with the agency “and have informed us of this issue.”
“We are currently seeking further information,” the commissioner added.