Given the terrible run of form it’s been on over the last year, it probably shouldn’t be that surprising that Facebook waited until the highly anticipated report on Russian interference in the 2016 US presidential election to deliver some bad news.

While just about every reporter was poring over the document, Facebook updated a blog post from March indicating that passwords had been exposed, stored as readable text (as opposed to securely encrypted), for hundreds of millions of Facebook users and thousands of Instagram users. It added a new paragraph to the middle of the post today indicating that a lot more Instagram users were affected than it originally thought:

(Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).

Just a small update from “thousands” to “millions,” then.

Facebook said it would notify the impacted users and that there’s no evidence that anyone within or outside Facebook had access to the passwords. But still, those users, and perhaps anyone else, might want to change their password or enable two-factor authentication just to make sure. That’s never a bad idea anyway.