Facebook employees had access to hundreds of millions of user passwords over the past few years, the social media giant said on Thursday, a disclosure that will add even more scrutiny on a company that has battled a flood of negative headlines over the past year.
The passwords were stored in a readable format on internal systems, Vice President Pedro Canahuati wrote in a blog post, who added that the firm’s login systems are “designed to mask passwords using techniques that make them unreadable.”
The company has since fixed the issue – first reported by cybersecurity site Krebs on Security -- and plans to notify users who had passwords stored in that manner.
Facebook estimates the total to include “tens of millions of Facebook users” and “tens of thousands of Instagram users.” It will also impact hundreds of millions of Facebook lite users, a version of the social platform used in countries that don’t have as strong of wireless networks.
“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” Canahuati wrote.
Since the revelation that a British political consulting firm tapped by the Trump administration in the run-up to the 2016 election had access to the personal information for as many as 87 million Facebook users, the company has been trying to manage a deluge of negative headlines surrounding its data collection practices.
The various scandals have elicited intense congressional scrutiny -- including separate hearings with CEO Mark Zuckerberg and COO Sheryl Sandberg -- government investigations and weighed on Facebook's stock.
In October, for example, a hacker stole personal information from 29 million accounts. Facebook’s deal with tech firms to share user data without explicit consent is also under criminal investigation, according to the New York Times.
Facebook has pledged to address its numerous issues and says it already changed many of the old policies that led to the improper access of user information.