- Ocasio-Cortez met a famous drag queen–and the right melted down Wednesday 6:09 PM
- Woman says Lyft driver tried to kidnap her Wednesday 5:18 PM
- Debunking the right-wing conspiracy theories from today’s impeachment hearing Wednesday 4:29 PM
- Maroon 5 approves of the latest TikTok trend Wednesday 3:54 PM
- ‘One month left in the decade’ meme wants to know what you’ve accomplished Wednesday 3:53 PM
- Facebook Pay is the latest way to send your friends money Wednesday 3:31 PM
- Diving into ‘The Mandalorian’s first big shocker Wednesday 3:17 PM
- Disney+ will allow password sharing—to an extent Wednesday 1:12 PM
- Black server says manager refused to discipline coworkers who sent racist receipt Wednesday 12:47 PM
- Who is Jonah Hauer-King, Disney’s new Prince Eric? Wednesday 12:47 PM
- Cut Katherine Langford ‘Avengers: Endgame’ scene lands on Disney+ Wednesday 12:22 PM
- Planned Parenthood app to show abortion-seeking users their nearest options Wednesday 12:21 PM
- ‘The Imagineering Story’ offers touching insight into Walt Disney’s vision Wednesday 11:57 AM
- YouTube mom who was charged with child abuse dead at 48 Wednesday 11:39 AM
- Every Marvel Cinematic Universe movie and show missing from Disney+ (and when they’ll show up) Wednesday 11:35 AM
Facebook passwords for hundreds of millions of users were stored unencrypted and accessible to employees for at least seven years.
The incident, first reported by KrebsOnSecurity, is believed to have affected anywhere between 200 million and 600 million users.
As many as 20,000 employees had access to the plaintext passwords, which were stored on internal company servers.
KrebsOnSecurity also wrote that a Facebook source indicated that roughly 2,000 company engineers and developers made “nine million internal queries for data elements that contained plain text user passwords.”
Facebook confirmed the issue in a blog post on Thursday and stated that the problem was discovered last January as part of a routine security review.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” stressed Facebook’s Pedro Canahuati, VP of engineering, security, and privacy.
While the statement failed to provide specifics, Facebook estimates that it will have to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
The company says it will not force password resets but anyone concerned about the security of their account can change their password and enable two-factor authentication.
The password incident comes as Facebook attempts to rebrand itself as a privacy-conscious company following months of continuous scandals.
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.