Facebook has issued a statement revising their statement made in March 2019 which said that only "tens of thousands" of Instagram users' passwords were stored in plaintext. Instead, the social media platform has now revealed that millions of Instagram user passwords were stored in a readable plaintext format.
When initially making the the announcement on 21 March 2019, Facebook stated that as part of a routine security review which took place in January 2019, they "found" that some user passwords were being stored in a readable format on their internal data storage systems.
"Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed)," reads a statement by Pedro Canahuati, VP Engineering, Security and Privacy at Facebook on 18 April 2019.
Security and privacy concerns at Facebook
This updated revelation by Facebook comes barely 24 hours after another privacy related scandal at Mark Zuckerberg's social media platform. Just earlier today, Facebook admitted to uploading the e-mail contacts of 1,5 million users without asking the users for permission.
All these privacy scandals, especially the two recent ones, raise questions about Facebook's operations and how seriously it takes the task of collecting and storing user data. It goes without saying that storing passwords in plaintext is the worst security practice any company can do, especially one with the type of resources that Facebook has.
Facebook says these passwords have not been exposed externally, but can we really trust them on this?
The other question is if all, or which Facebook (Instagram) staff had access to these login credentials and what did they do with them?
"In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them. There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook," said Canahuati.
This is a developing story and we will update it with more information as it becomes available/