Facebook passwords for hundreds of millions of users were stored unencrypted and accessible to employees for at least seven years.
The incident, first reported by KrebsOnSecurity, is believed to have affected anywhere between 200 million and 600 million users.
As many as 20,000 employees had access to the plaintext passwords, which were stored on internal company servers.
KrebsOnSecurity also wrote that a Facebook source indicated that roughly 2,000 company engineers and developers made “nine million internal queries for data elements that contained plain text user passwords.”
Facebook confirmed the issue in a blog post on Thursday and stated that the problem was discovered last January as part of a routine security review.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” stressed Facebook’s Pedro Canahuati, VP of engineering, security, and privacy.
While the statement failed to provide specifics, Facebook estimates that it will have to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
The company says it will not force password resets but anyone concerned about the security of their account can change their password and enable two-factor authentication.
The password incident comes as Facebook attempts to rebrand itself as a privacy-conscious company following months of continuous scandals.