Facebook Admits Millions of Instagram User Passwords May Have Been Revealed


Facebook stored way more Instagram passwords in a readable plaintext format than it initially thought, the company announced on Thursday.

Last month, the social media firm admitted that it stored “hundreds of millions” of user account passwords in plaintext logs. That’s a serious privacy blunder, but it was a bigger problem for users of Facebook’s flagship platform. The company said that the incident only impacted “tens of thousands” of Instagram users.

Now, Facebook is revising that number — and by quite a bit, too. In an update to the original security incident blog post, Facebook says that it now estimates that the passwords storage issue impacted “millions” of Instagram users.

On the other hand, the company did not reveal how many millions were affected or when exactly it discovered that more users were impacted. Facebook updated its security blog post, ironically titled “Keeping Passwords Secure,” at 7 a.m. this morning.

The plaintext password logs were accessible by around 2,000 engineers and developers at the company, but Facebook maintains that they were not “abused or improperly accessed” by those employees.

But it’s still a serious mishandling of sensitive user data. Plaintext passwords are easily readable by anyone who comes across them. If that data leaked, it could jeopardize the security of millions of internet users. That’s why most sites scramble password data so even they can’t access or read them.

In its original blog post, the company said the plaintext password storage happened inadvertently. In other words, it was an accident. But many of those passwords were stored in plaintext for years — some logs data back to 2012.

Facebook says it will begin notifying the additional Instagram users who were impacted by the security incident.

How to Protect Yourself

In the meantime, it’s smart to change your Instagram password (even if the company has no “evidence” of abuse).

That’s especially true if you use the same password for multiple sites, which you shouldn’t be doing anyway.

Ideally, you should be using strong and unique passwords for each site or platform that you use. That’s not always an easy task, so we recommend using a password manager and opting-in to two-factor authentication whenever possible.