clock menu more-arrow no yes mobile

Filed under:

Facebook employees had access to private passwords for hundreds of millions of people

Nobody at Facebook actually did anything with your password. As far as we know.

Facebook CEO Mark Zuckerberg looking at his cellphone.
Facebook CEO Mark Zuckerberg.
Drew Angerer / Getty Images

Another week, another Facebook privacy disaster.

This time, it turns out Facebook was storing the personal passwords for hundreds of millions of Facebook users unencrypted on the company servers, according to a report from the security publication Krebs on Security. That means these passwords were readable to thousands of Facebook employees, an obvious and concerning security risk.

Facebook confirmed that, yes, this was indeed the case, and Facebook discovered it in January during a “routine security review.” The company usually encrypts passwords so they aren’t viewable to hackers or other people who might have access to the servers where they are stored.

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company wrote in a blog post.

Facebook says the issue has been resolved and it will alert “hundreds of millions” of people whose passwords were visible. Krebs on Security reported that the number of visible passwords belonged to between 200 million and 600 million users.

The misstep is just the latest for Facebook, which has played fast and loose with user privacy and data collection practices for years. Some of the company’s old policies allowed outside developers to collect Facebook user data, often without the users understanding what was happening — and in the case of Cambridge Analytica, that data was also sold outside of Facebook to a political data firm.

Numerous software bugs led to Facebook privacy issues in 2018, and, last September, hackers stole the profile information for tens of millions of Facebook users.

Now Facebook is under investigation from multiple government agencies, including the FTC, and could face a considerable fine for its role in the Cambridge Analytica issue. It seems likely this password situation will provide regulators with yet another arrow they’ll use to try and regulate the company’s data and privacy practices.

Facebook, meanwhile, has lost the benefit of the doubt with a lot of users and regulators.

“There is nothing more important to us than protecting people’s information,” Facebook wrote on its blog.

This article originally appeared on