On the same morning Special Counsel Robert Mueller’s report on Russian election interference finally became public, Facebook dropped some troubling news: Millions of Instagram users’ passwords were accidentally stored unencrypted on Facebook’s servers, which means Facebook employees could access them.
Facebook first announced late last month that it had stored hundreds of millions of user passwords unencrypted on its servers, a massive security problem. At the time, it said that “tens of thousands” of Instagram passwords were also stored in this way.
On Thursday morning, Facebook updated its blog to say that, actually, “millions” of Instagram users, not “tens of thousands,” were impacted:
Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.
A Facebook spokesperson pointed Recode to the update and reiterated that “there is no evidence of abuse or misuse of these passwords.” But the timing of the update — again, during the release of Mueller’s report — doesn’t convey the message that Facebook cares strongly that users are aware of this issue.
Facebook is under investigation by numerous government agencies, including the FTC and the DOJ, for its data collection and privacy practices. It’s unclear if issues like unencrypted password storage could play a role in those investigations, but it’s not a good look regardless for a company that is already struggling mightily with user trust.
This article originally appeared on Recode.net.