Facebook on Thursday said that millions of Instagram passwords were stored in unencrypted form on internal servers, raising its original estimate of tens of thousands of passwords.

Facebook announced this on Thursday by updating an earlier company blog post from March 21 which had mentioned that unencrypted passwords for “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” were stored in readable format on internal servers.

Advertisement

The company updated the blog post on April 18 to say the issue had impacted “millions of Instagram users”. “We discovered additional logs of Instagram passwords being stored in a readable format,” Facebook said. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

Facebook, which is Instagram’s parent company, had acknowledged last month that hundreds of millions of user passwords were stored in a readable format in its internal data storage system and that the glitch had been fixed. The company had then said the passwords were not visible to anyone outside the company and claimed it did not find any evidence of access being abused.

The statement came after KrebsonSecurity, a blog that covers computer security and cybercrime, reported that hundreds of millions of account passwords were stored in plain text and searchable by over 20,000 Facebook employees. The post reported that passwords dating back to 2012 were stored in readable text.

Advertisement

Facebook’s handling of user data has been at the centre of controversy since it admitted last year that Cambridge Analytica, a political consultancy, used an app that may have hijacked the private details of 87 million users, according to AFP.

In September, Facebook said it had discovered a security breach that has affected about 50 million users.