Facebook revealed on Thursday it didn’t properly mask the passwords of hundreds of millions of its users and stored them in an internal database that could be accessed by its staff.
The company said it discovered the passwords during a security review in January and launched an investigation. Facebook did not say for how long they had been storing passwords in this way.
It will be notifying hundreds of millions of Facebook users and tens of thousands of Instagram users if their passwords were involved.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Pedro Canahuati, a Facebook vice president wrote on Thursday.
He added that Facebook typically “masks people’s passwords when they create an account so that no one at the company can see them.”
Keeping passwords hashed, or encrypted, is widely regarded as fundamental to cybersecurity, as passwords exist to for users to authenticate their identity without others knowing how.
“Encrypting passwords is Security 101,” said Marcus Carey, the CEO Threatcare, an Austin cybersecurity company. “If they can’t get the basic principles of cybersecurity right, they are surely failing on the tougher challenges.”
Facebook shared information about the security incident soon after it was first reported by Krebs on Security.
Facebook said that hundreds of millions of users of Facebook Lite had been impacted, while tens of millions of regular Facebook users were impacted.
Facebook Lite is a version of Facebook popular among people in parts of the world with less connectivity. CNN Business has asked Facebook why users of Facebook Lite were so highly impacted.
In Europe, Facebook is headquartered in Ireland, where it is regulated by the Irish Data Protection Commission. A commission spokesperson told CNN Business that Facebook had informed it of the issue and that it was awaiting further information. The commission currently has several investigations into Facebook’s compliance with European data laws ongoing; the company could face fines upwards of $1 billion as a result of those investigations.