If you"ve been waiting for a new reason to bash Facebook, you might just be in luck today. A report from security research company Krebs on Security, which has since been confirmed by Facebook itself, reveals that the social network improperly stored passwords for millions of its users, leaving them exposed and searchable in plain text format for thousands of its employees to find.
Facebook"s own blog post, of course, doesn"t provide detailed numbers, but it does say that it will be notifying "hundreds of millions" of users of its Facebook Lite app, "tens of millions" of users of the regular Facebook app, and "tens of thousands" of users of the Instagram app. Krebs on Security, for its part, claims that the number of affected users could be anywhere between 200 million and 600 million based on the information currently available, but that could go even higher. Its internal source at Facebook has said that the company is trying to keep the numbers down by only counting things that are currently stored in its data warehouse.
All of these passwords were accessible to over 20,000 Facebook employees, according to the security report. Additionally, a Facebook insider told Krebs on Security that about 2,000 employees had made nearly nine million internal queries for data elements that contained plain text passwords.
Facebook"s blog post claims it hasn"t found any sign of its internal workers abusing this security flaw, and reassures users that the passwords weren"t exposed to anyone outside the company. As such, a password reset will not be mandatory, though users will be notified of the events and be given the option to so.
As for how long the flaw has been going without a fix, it"s not exactly clear, but the report from Krebs on Security says the current internal investigation has found archives with plain text passwords dating back to 2012.
After the number of scandals Facebook has been involved in recently, especially those revolving around Cambridge Analytica, you might think that its reputation can"t be tarnished any further. But it looks like the company keeps finding ways to do that.