Facebook employees had access to private passwords for hundreds of millions of people

Another week, another Facebook privacy disaster.

This time, it turns out Facebook was storing the personal passwords for hundreds of millions of Facebook users unencrypted on the company servers, according to a report from the security publication Krebs on Security. That means these passwords were readable to thousands of Facebook employees, an obvious and concerning security risk.

Facebook confirmed that, yes, this was indeed the case, and Facebook discovered it in January during a “routine security review.” The company usually encrypts passwords so they aren’t viewable to hackers or other people who might have access to the servers where they are stored.

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company wrote in a blog post.

Facebook says the issue has been resolved and it will alert “hundreds of millions” of people whose passwords were visible. Krebs on Security reported that the number of visible passwords belonged to between 200 million and 600 million users.

The misstep is just the latest for Facebook, which has played fast and loose with user privacy and data collection practices for years. Some of the company’s old policies allowed outside developers to collect Facebook user data, often without the users understanding what was happening — and in the case of Cambridge Analytica, that data was also sold outside of Facebook to a political data firm.

Numerous software bugs led to Facebook privacy issues in 2018, and, last September, hackers stole the profile information for tens of millions of Facebook users.

Now Facebook is under investigation from multiple government agencies, including the FTC, and could face a considerable fine for its role in the Cambridge Analytica issue. It seems likely this password situation will provide regulators with yet another arrow they’ll use to try and regulate the company’s data and privacy practices.

Facebook, meanwhile, has lost the benefit of the doubt with a lot of users and regulators.

“There is nothing more important to us than protecting people’s information,” Facebook wrote on its blog.

This article originally appeared on Recode.net.

Will you support Vox’s explanatory journalism?

Most news outlets make their money through advertising or subscriptions. But when it comes to what we’re trying to do at Vox, there are a couple of big issues with relying on ads and subscriptions to keep the lights on:

First, advertising dollars go up and down with the economy. We often only know a few months out what our advertising revenue will be, which makes it hard to plan ahead.

Second, we’re not in the subscriptions business. Vox is here to help everyone understand the complex issues shaping the world — not just the people who can afford to pay for a subscription. We believe that’s an important part of building a more equal society. And we can’t do that if we have a paywall.

So even though advertising is still our biggest source of revenue, we also seek grants and reader support. (And no matter how our work is funded, we have strict guidelines on editorial independence.)

If you also believe that everyone deserves access to trusted high-quality information, will you make a gift to Vox today? Any amount helps.

One-Time Monthly Annual

$5/month

$10/month

$25/month

$50/month

Other

$

Yes, I'll give $5/month

Yes, I'll give $5/month

We accept credit card, Apple Pay, and Google Pay. You can also contribute via