Facebook estimated it will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users, the company’s vice president of engineering, security and privacy Pedro Canahuati said in a blog post Thursday.
Mr. Canahuati said the company has fixed these issues and that “no passwords were exposed externally and we didn’t find any evidence of abuse to date.”
Facebook Lite is a stripped-down version of the product for use by people without access to reliable internet service.
The internal exposure of passwords was reported by krebsonsecurity.com earlier Thursday. Citing an unnamed senior Facebook executive, independent security researcher Brian Krebs wrote that as many as 600 million passwords were exposed, with some being improperly stored as far back as 2012. According to Mr. Krebs’s report, the files containing the passwords were accessible to as many as 20,000 Facebook employees, and around 2,000 company developers and engineers interacted with the system that contained them.
Facebook identified the issue as part of a routine security review in January, Mr. Canahuati said.
During the review, Facebook has been looking for ways it stores some information, such as access tokens, and have fixed problems as they were discovered, he said. While Facebook will notify users whose passwords were stored insecurely “as a precaution,” there is no current plan to require users to change their passwords.
Facebook’s login systems are designed to mask passwords, Mr. Canahuati said, converting them into a scrambled cipher in a way that cannot be undone. His post didn’t explain why a vast quantity of login information had not been treated in that fashion in this instance.
The security lapse follows a data breach six months ago in which Facebook said attackers managed to extract data such as name, gender and hometown for around 50 million users. It also comes amid a wide-ranging Federal Trade Commission review of Facebook’s privacy policies and handling of user data. Though that probe began following a scandal over how political consulting firm Cambridge Analytica obtained Facebook user data, Facebook has said it kept the FTC abreast of other privacy and data-handling lapses.