mark zuckerberg facebook ceo

JD Lasica/Flickr (CC-BY)

Facebook says ‘millions,’ not ‘tens of thousands,’ affected by Instagram password bug

User passwords were stored in plaintext for up to seven years.


Mikael Thalen


Posted on Apr 18, 2019   Updated on May 20, 2021, 2:30 pm CDT

Facebook has quietly updated a blog post concerning a security incident last month that was initially believed to have only affected “tens of thousands” of Instagram users. The issue, which saw Instagram users’ passwords stored in plaintext on company servers, is now said to have affected “millions.”

The social media site initially admitted in late March that passwords for users on Facebook and on Instagram had been accessible to employees for at least seven years after being stored unencrypted. Although millions of Facebook users were impacted, the company said the issue only involved tens of thousands of Instagram users.

In an addition Thursday to its original statement, Facebook attempted to stress that the stored passwords were neither “internally abused or improperly accessed.”

“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format,” Facebook said. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”

Facebook did not specify, however, how many millions were affected or when, exactly, it learned about the new numbers. The company’s decision to publish the update just one hour before the long-awaited Mueller report was set to be released has raised eyebrows.

The security issue adds to the seemingly endless list of scandals that has bombarded the company in recent years.

Facebook also came under fire late last month after it was learned that the social media site was asking individuals looking to create new accounts to provide the passwords to their personal emails for verification purposes. Just this Wednesday, it was learned that after obtaining those passwords, Facebook harvested the email contacts of 1.5 million people and used the data for advertising purposes.


Share this article
*First Published: Apr 18, 2019, 5:13 pm CDT