Facebook provided an update to a previously disclosed incident involving insecurely storing “tens of thousands” of Instagram users’ passwords on internal servers in clear text. Facebook now says that “millions” of Instagram accounts are now impacted.
On March 21, Facebook said internal investigations performed by employees in January revealed thousands of Instagram user passwords were stored insecurely in a “readable format within our internal data storage systems.”
In other words, passwords were not protected via “hash” and “salt” typically provided by cryptographic solutions to make passwords unreadable.
The company added that the passwords were not visible to those outside Facebook.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Facebook noted.
However, Facebook provided an update on Thursday that the incident was worse than previously announced and now impacts millions of Instagram passwords:
“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).”