Facebook security notice announces millions of Instagram users had their passwords stored in plaintext

Facebook confirmed Thursday that password credentials belonging to millions of Instagram users were stored in an insecure format. 

The company quietly updated a blog post first published March 21 to say millions of Instagram passwords, not tens of thousands as initially stated, were stored in a readable format accessible by company employees dating back to 2012. The social media company did not specify how many millions of users were affected.

“We will be notifying these users as we did the others,” the company said in its update. “Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

Facebook last month said an internal investigation had determined that hundreds of millions of users’ passwords were stored in a format that could have allowed employees to view them. More than 20,000 employees could have accessed information about between 200 million and 600 million users, KrebsOnSecurity reported at the time.  

Thursday’s update was timed with the publication of a redacted version of Special Counsel Robert Mueller’s report on Russian interference in the 2016 presidential election, a widely anticipated event that has dwarfed coverage of other news events.

It also coincided with a Business Insider report which determined Facebook had uploaded email contacts of more than 1.5 million new Facebook users without seeking their permission since May 2016.