Facebook late last month revealed that the social media company mistakenly stored passwords for « hundreds of millions » of Facebook users in plaintext, including « tens of thousands » passwords of its Instagram users as well.
Now it appears that the incident is far worse than first reported.
Facebook today quietly updated its March press release, adding that the actual number of affected Instagram users were not in hundreds of thousands but millions.
These plaintext passwords for millions of Instagram users, along with millions of Facebook users, were accessible to some of the Facebook engineers, who according to the company, did not abuse it.
According to the updated post, Facebook discovered « additional logs of Instagram passwords » stored in a readable format, but added that its investigation revealed that the stored passwords were never « abused or improperly accessed » by any of its employees.
Here’s the full updated statement posted by the company:
« Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed. »
The latest revelation comes in less than a day after it was revealed that Facebook had stored up to 1.5 million users’ contact information on its servers, without their consent or knowledge, since May 2016.
To be on the safer side, The Hacker News recommends you to change their Facebook and Instagram passwords immediately, even if you don’t receive any email from Instagram or Facebook.
Also, make sure you have enabled two-factor authentication for the services.