Facebook admitted Thursday that hundreds of millions of user passwords were stored in plain text on its data storage systems. In other words, unencrypted passwords were readily available to the company's employees.
"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems," Pedro Canahuati, vice president of engineering, security, and privacy at Facebook, wrote in a blog post.
"This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable," Canahuati continued. "We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."
The passwords were never visible to anyone outside of the company, according to Facebook. It also said it found no evidence of employees abusing their access to the passwords.
Brian Krebs first reported the security breach on his blog, Krebs on Security, prior to Facebook's public announcement.
How many users were impacted?
"We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users," Canahuati wrote. "Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity."
It's unclear how long the passwords had been stored without encryption or why Facebook waited until March to report the breach.
But, according to Krebs, "in some cases," the issue dates back to 2012.
Facebook and Instagram users are advised to change their passwords.