Facebook has quietly revealed that it accidentally stored millions of Instagram user passwords in plaintext, a major security issue that the company had previously said only affected “tens of thousands” of users.
Yesterday, while the release of the Muller report was dominating news headlines, Facebook updated the original news release with the following message:
Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.
The curious timing and method of Facebook’s revelation drew scorn from all corners of journalism, business, and tech:
Incredible: While the Muller report was being released, Facebook updates an old press post titled “Keeping Passwords Secure” with the new disclosure that millions of Instagram account passwords were internally stored in readable plaintext. https://t.co/BiDfq1G8N3
— Alex Heath (@alexeheath) April 18, 2019
— Gizmodo (@Gizmodo) April 18, 2019
So Facebook chooses the busiest news day of the year to drop an announcement that millions of Instagram passwords have been compromised.
And they do it by adding an editor's note to a blog post from *March 21*. Amazing.https://t.co/r6JYNRvE43
— Ethan DeWitt (@edewittNH) April 19, 2019
— Alex Whitcomb (@AlexWhitcomb) April 18, 2019
If your Instagram password was one of those stored unencrypted, you’ll be receiving a message from Facebook about it. And even though Facebook doesn’t believe the passwords were compromised, you might want to go ahead and change your Instagram password and any other account that uses the same password anyway, just to be safe.