Unknown to hundreds of millions of Facebook users, their passwords were sitting in plain text inside the company's data storage, leaving them vulnerable to potential employee misuse and cyberattack for years.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," Facebook's Vice President for Engineering, Security and Privacy Pedro Canahuati said in a statement Thursday.
Staff made the discovery in January, during a routine security check, he said.
The company plans to notify hundreds of millions of Facebook Lite users, in areas with scant connectivity, as well as tens of millions of other Facebook users and tens of thousands of Instagram users.
The announcement came in the midst of a report by cybersecurity blog Krebs on Security, which cited an anonymous Facebook source. As many as 600 million users may have been affected, according to the source.
"My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords," blogger Brian Krebs stated.
The archives date back to 2012, according to the report.
Thursday's disclosure is the latest in a slew of controversies. In 2018, the world learned that political consulting firm Cambridge Analytica harvested information on millions of Facebook users. Later that year, Facebook announced a massive security breach affecting nearly 50 million accounts.
"This is a company that goes from crisis to crisis," Jeff Chester, executive director of the Center for Digital Democracy, tells NPR.
He says it's part of a pattern. "Although Facebook is not alone, the problem is that the focus has been on turning all this data into revenue to help advertisers and not enough has been done to help data security."
There have been accusations of discriminatory ad targeting, discoveries that the company was collecting data from third-party apps on people's personal details such as menstrual cycles, photos which were accidentally made available to app developers, reports that users' phone numbers – submitted for security — were targeted by advertisers "within a couple of weeks," and a scathing New York Times article on Facebook's attempt to discredit critics with a Washington consulting firm.
Last month, British lawmakers likened Facebook to "digital gangsters" who shunned accountability as disinformation spread like wildfire on social media.
Federal prosecutors are currently conducting a criminal investigation into arrangements Facebook made with Amazon, Apple and other tech giants, according to the New York Times. The partnership may have enabled the companies to access troves of user data without consent, at times without consent.
Chester says news of the password storage insecurity could add fuel to a flame burning in Washington among lawmakers pushing for regulations on big tech companies. "This makes the case for Congress passing privacy legislation and toughening up cybersecurity laws as well," Chester says.
Facebook insists privacy is its top priority.
"There is nothing more important to us," Canahuati said, "than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook."
Note: Facebook is among NPR's financial supporters.