Unknown to hundreds of millions of Facebook users, their passwords were sitting in plain text inside the company’s data storage, leaving them vulnerable to potential employee misuse and cyberattack for years.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Facebook’s Vice President for Engineering, Security and Privacy Pedro Canahuati said in a statement.
The company plans to notify hundreds of millions of Facebook Lite users, in areas with scant connectivity, as well as tens of millions of other Facebook users and tens of thousands of Instagram users.
The announcement came in the midst of a report by cybersecurity blog Krebs on Security, which cited an anonymous Facebook source. As many as 600 million users may have been affected, according to the source.
Facebook insists privacy is its top priority.
“There is nothing more important to us,” Canahuati said, “than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.”