Facebook stored passwords for hundreds of millions of users in plain text, for years, exposing them to anyone who had internal access to the files.
According to Krebs on Security, which first reported the security flaw, between 200 million to 600 million users are believed to have been affected. Although there is no evidence that the plain-text passwords were exposed outside of the company or that they were abused internally, an inquiry dating as far back as 2012 discovered that the passwords were exposed to as many as 20,000 company employees.
In a blog post, titled “Keeping Passwords Secure,” Pedro Canahuati, Facebook’s VP Engineering, Security and Privacy, wrote:
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.
Canahuati also said, as a precaution, Facebook will notify everyone whose passwords were stored in this way.