Facebook stored 'hundreds of millions' of passwords in plain text

Facebook has admitted to storing 'some' user passwords in a plain text file readily accessible by staff, later clarifying 'some' to mean 'hundreds of millions'.

In a security notification penned by vice-president of engineering, security, and privacy Pedro Canahuati and embarrassingly entitled 'Keeping Passwords Secure', Facebook has confirmed that 'as part of a routine security review in January' it discovered it had been storing 'some user passwords' in plain text format - rather than the industry standard of storing only a salted one-way hash of the password, which can be compared to a hash of a submitted password for verification.

'Some user passwords', however, turns out to be something of an understatement - though, Canahuati is likely relying upon, not technically untrue: 'We estimate that we will notify hundreds of millions of Facebook Lite users,' the vice president continues in the announcement's second paragraph, 'tens of millions of other Facebook users, and tens of thousands of Instagram users'.

These hundreds of millions of users, Canahuati admits, had their passwords not only stored in plain text with no encryption or hashing but in a data storage system to which Facebook staff had full access. 'To be clear, these passwords were never visible to anyone outside of Facebook,' Canahuati's statement continues, 'and we have found no evidence to date that anyone internally abused or improperly accessed them.'

While that claim - that the passwords were never disclosed externally nor improperly accessed internally - remains the company's official line, Facebook has begun reaching out to the hundreds of millions of users affected with the advice that they should change their passwords on both Facebook and Instagram, avoid reusing the same passwords on multiple services, and look at enabling two-factor authentication (2FA) on their accounts.