Facebook security notice announces millions of Instagram users had their passwords stored in plaintext

The update increases the amount of people impacted by a March security notice.

Facebook confirmed Thursday that password credentials belonging to millions of Instagram users were stored in an insecure format. 

The company quietly updated a blog post first published March 21 to say millions of Instagram passwords, not tens of thousands as initially stated, were stored in a readable format accessible by company employees dating back to 2012. The social media company did not specify how many millions of users were affected.

“We will be notifying these users as we did the others,” the company said in its update. “Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

Facebook last month said an internal investigation had determined that hundreds of millions of users’ passwords were stored in a format that could have allowed employees to view them. More than 20,000 employees could have accessed information about between 200 million and 600 million users, KrebsOnSecurity reported at the time.  


Thursday’s update was timed with the publication of a redacted version of Special Counsel Robert Mueller’s report on Russian interference in the 2016 presidential election, a widely anticipated event that has dwarfed coverage of other news events.

It also coincided with a Business Insider report which determined Facebook had uploaded email contacts of more than 1.5 million new Facebook users without seeking their permission since May 2016.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts