Facebook staff had access to hundreds of millions of passwords

Facebook reveals it did not properly mask the passwords of hundreds of millions of its users, leading to them being accessible by its staff.

Ben Ariel ,


Facebook revealed on Thursday that it did not properly mask the passwords of hundreds of millions of its users and stored them as plain text in an internal database that could be accessed by its staff, CNN reported.

The company said it discovered the exposed passwords during a security review in January and launched an investigation. Facebook did not say how long it had been storing passwords in this way.

Facebook shared information about the security incident publicly soon after it was first reported by Krebs on Security.

"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," Pedro Canahuati, a Facebook vice president wrote on Thursday in a post titled, "Keeping Passwords Secure."

He added that Facebook typically "masks people's passwords when they create an account so that no one at the company can see them."

A Facebook spokesperson told CNN Business that the password issue primarily but not exclusively affected systems associated with Facebook Lite. Hundreds of millions of users of Facebook Lite had been impacted, while tens of millions of regular Facebook users and tens of thousands of Instagram users were affected, the company said.

Facebook Lite is a simplified version of Facebook designed to work on slower internet connections and is popular among people in parts of the world with less connectivity.

The news comes days after the one year anniversary of the Cambridge Analytica scandal in which it was revealed that Facebook shared the personal data of as many as 87 million users with a political data firm.

Last September, Facebook announced it had discovered a security breach affecting nearly 50 million user accounts.

The company said that hackers exploited its "View As" feature, which lets people see what their profiles look like to someone else. Facebook stressed it has taken steps to fix the security problem and alerted law enforcement.

Several months earlier, Facebook said a bug in its software had changed the default setting on some users' posts to "public" without requesting their consent.