Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Facebook admits millions of Instagram accounts affected by unencrypted password storage blunder

Facebook has admitted its major security breach from March where the social network stored "hundreds of millions" of plain-text passwords on internal servers was worse than first thought for users of Instagram, advising it may have affected millions of accounts on the image-sharing service and not the "tens of thousands" it initially reported.

The revelation in March involved the storage of details for between 200 million and 600 million accounts on internal servers in an unprotected, unencrypted fashion. Leaked by an anonymous senior Facebook employee, it was found the practice dated as far back as 2012, and that some 2,000 engineers made approximately 9 million queries on that data, which included passwords.

Facebook's own post about the discovery, which was in fact found in January but reported in March, has been corrected with new information about the size of the breach. The post originally estimates "hundreds of millions" of Facebook Lite users, as well as tens of millions of other Facebook users, were affected along with "tens of thousands of Instagram users."

Updated on Thursday, the post advises "additional logs of Instagram passwords being stored in a readable format" were discovered in the investigation, and that Facebook now estimates the issue "impacted millions of Instagram users." Facebook claims it will begin notifying affected users in a similar way to others.

"Our investigation has determined that these stored passwords were not internally abused or improperly accessed," the update concludes.

At the time, it was claimed Facebook had not seen any cases of employees looking intentionally for passwords, or that the data was misused. By way of explaining the existence of the insecure data trove, it was claimed the details were inadvertently logged, but that there "was no actual risk" from its creation.

Facebook has notified affected users of all of the services to prompt the creation of a new and securely stored password.

The increase in accounts affected is the latest privacy issue Facebook has faced in recent months. On Wednesday, it was found Facebook had "unintentionally uploaded" the email contacts for some 1.5 million users without their consent.

It has also been accused of sloppy security practices, questionable data sharing, leveraged user data in dealings with partners, and most famously being in the center of the Cambridge Analytica scandal and facing a record billion-dollar FTC fine.