Uh-oh, says Facebook, it turns out millions of user passcodes were stored in plaint text on the social network’s servers. Facebook disclosed the mistake that risked exposing the passwords of Facebook and Instagram users in a new blog post called Keeping Passwords Secure — presumably the irony is not intentional.

Facebook says it discovered the mistake earlier this year:

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

The company goes on to say that no one outside of Facebook had access to user passwords, and to their knowledge, no one internally abused having access to exposed passwords stored in plaint text.

Don’t take Facebook’s word for it though. Always use a unique password for every account and never recycle the same password for two or more accounts. Password management software like 1Password and LastPass can help, or even Apple’s built-in iCloud Keychain feature … or as a last resort, a classic notebook with passwords that you update regularly. Just don’t leave it to memory and recycle a password. Why? There’s no way to know who else may be storing passcodes in plain text as well.

It’s also wise to enable two-factor authentication for your personal online accounts when possible. Facebook shares how to do that with its services below:

Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you.

Finally, the social network says it will start alerting affected users about the security goof following today’s disclosure. As for how many people are affected, this is what the company offers:

We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.

Don’t wait for Facebook to tell you though. Use a unique password and change your Instagram and Facebook credentials anyway just to be safe.


Subscribe to 9to5Mac on YouTube for more Apple news:

About the Author