Facebook on Thursday admitted that millions of passwords were stored in plain text on its internal servers, a security slip that left them readable by the social networking giant's employees.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," vice president of engineering, security, and privacy Pedro Canahuati said in a blog post.
The blunder was uncovered during a routine security review early this year, according to Canahuati.
This morning we announced an internal issue where we stored passwords incorrectly. We've found zero evidence that anyone outside of Facebook had access to these passwords and zero evidence of internal abuse. https://t.co/21IKC9PgOS— Facebook Newsroom (@fbnewsroom) March 21, 2019
He said that the Silicon Valley company expected to notify hundreds of millions of Facebook Lite users; tens of millions of other Facebook users, and tens of thousands of Instagram users whose passwords may have be vulnerable to prying eyes.
The basic security shortcoming was revealed on the heels of a series of controversies centered on whether Facebook properly safeguards the privacy and data of its users.
The basic data defense mistake would also appear contrary to the "Hacker Way" mantra that Facebook co-founder Mark Zuckerberg has espoused at the social network.
"One Hacker Way" is the main address of Facebook's vast campus in the California city of Menlo Park.
Brian Krebs of security news website KrebsOnSecurity.com cited an unnamed Facebook source as saying the internal investigation had so far indicated that as many as 600 million users of the social network had account passwords stored in plain text files searchable by more than 20,000 employees.
The exact number had yet to be determined, but archives with unencrypted user passwords were found dating back to the year 2012, according to Krebs.
"We have fixed these issues and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way," Canahuati said.
Facebook Lite is a version of Facebook, predominantly used by people in regions with lower connectivity.
"Out of an abundance of caution, we are telling people so that they can change passwords if they choose," Facebook tweeted.
Earlier this month, Facebook came under scrutiny for using phone numbers provided for security reasons -- like two-factor authentication (2FA) -- for things like advertising and making users searchable by their phone numbers across its different platforms.
"Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you," Facebook advised.