Hundreds of millions of Facebook users may have had their passwords exposed as the result of an alarming oversight by the social media company.

This includes Facebook, Facebook Lite, and Instagram users.

The shocking vulnerability was first revealed by security researcher Brian Krebs, who reports that Facebook left the passwords of 200 million to 600 million users stored in plain text.

That means the information was readable and searchable by more than 20,000 Facebook employees, in some cases dating as far back as 2012.

The company only first learned of the issue this past January.

Facebook has since confirmed the shocking security failure, but insists it has fixed the issue and has not found any evidence that the information was 'abused.'

Hundreds of millions of Facebook users may have had their passwords exposed as the result of an alarming oversight by the social media company. This includes Facebook, Facebook Lite, and Instagram users

WHAT SHOULD YOU DO NOW? According to Facebook, all users who were affected by the password issue will be notified. This is includes: Facebook : Tens of millions of users

: Tens of millions of users Facebook Lite : Hundreds of millions of users

: Hundreds of millions of users Instagram : Tens of thousands of users For now, Facebook is not requiring any users reset their passwords as a result of the issue. Users can choose to do this on their own, however, for peace of mind. For added protection, the firm also recommends setting up a security key or two-factor authentication through a third party authentication app. Advertisement

All users whose passwords were exposed will be notified, the company says.

According to Facebook’s staggering estimates, that so far includes ‘hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.’

The shocking flaw comes as yet another blow to the already waning trust of many Facebook users amid two years of back-to-back privacy scandals.

A source at Facebook who alerted Krebs of the issue says the firm is still working to determine exactly how many passwords were exposed and for how long.

But, the internal investigation uncovered archives dating back to 2012 that show users’ passwords in plain text, according to Krebs.

Facebook released a public statement in tandem with Krebs’ report and confirmed it uncovered the plain text passwords during a routine security review in January.

Users’ passwords are typically stored in a way that masks the text and makes them unreadable even to employees.

It’s so far unclear what caused some users’ passwords to be left exposed.

‘To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,’ Facebook says.

‘We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.'

‘Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity,' the firm noted.

According to the report in KrebsOnSecurity, the access logs show about nine million internal searches conducted by roughly 2,000 engineers or developers were linked to data elements containing plain text passwords.

There’s so far no indication that this information was misused, Facebook says.

At this stage in the investigation, the company is not requiring any users reset their passwords.

‘We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,’ Facebook software engineer Scott Renfro told KrebsOnSecurity.

‘In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this.

'We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.’



