Facebook employees had access to millions of unencrypted Instagram passwords
What's the story
Just a month ago, Facebook admitted to keeping passwords of users in a readable format. The company had claimed that the credentials, which its employees had access to, included passwords of 'hundreds of millions of Facebook users' and 'tens of thousands of Instagram users'. But now, in another shocker, it has revised the number of affected Instagrammers to millions. Here are the details.
Issue
Passwords were kept in plain text
Back in March, a senior-level Facebook employee told KerbsOnSecurity that the social network kept millions of user passwords in a readable text format. Normally, passwords are hashed with a cryptographic key to prevent them from being accessed or read. But, in this case, a string of security errors associated with Facebook's products led to the passwords being logged internally.
Confirmation
Facebook confirmed the issue, but claimed there was no abuse
After media outlets started reporting the matter, Facebook confirmed the issue, noting that it had discovered the unencrypted password log as part of a routine security review in January. The company added that the issue has been resolved and the passwords were neither exposed to outsiders nor anyone on the inside had abused the inadvertently given access.
Impact
Turns out, the problem was worse than thought
When Facebook confirmed the issue, it claimed that hundreds of millions of users of its main and 'Lite' app and tens of thousands of Instagram users had their passwords stored in plain text. But now, in a sneaky move, the company updated the original confirmation story, noting that the millions of Instagram users were also impacted in the same way.
Quote
Here's what Facebook's update read
"We discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users," the update for the blog post read.
Questions
Though, Instagram passwords were not abused
While more Instagram passwords may have been exposed in plain text, Facebook emphasizes none of the credentials were abused or accessed by its employees. The company plans to notify these users in the coming days, which means if a notification shows up on your Instagram profile, you'd have to update your password as a security measure.
Issues
Facebook needs to get a grip on privacy-related matters
The case of Instagram passwords and the way Facebook shared it indicates the company wanted to draw less attention this time around. The social network has been marred by a series of scandals since last year, which has significantly affected user trust. Not to mention, not even 24 hours ago, the company admitted to harvesting email contacts of new Facebook users.