Facebook revealed on Thursday it didn't properly mask the passwords of hundreds of millions of its users and stored them in an internal database that could be accessed by its staff.
The company said it discovered the passwords during a security review in January and launched an investigation. Facebook did not say for how long they had been storing passwords in this way.
It will be notifying hundreds of millions of Facebook users and tens of thousands of Instagram users if their passwords were involved.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," Pedro Canahuati, a Facebook vice president wrote on Thursday.
He added that Facebook typically "masks people's passwords when they create an account so that no one at the company can see them."
Keeping passwords hashed, or encrypted, is widely regarded as fundamental to cybersecurity, as passwords exist to for users to authenticate their identity without others knowing how.
"Encrypting passwords is Security 101," said Marcus Carey, the CEO Threatcare, an Austin cybersecurity company. "If they can't get the basic principles of cybersecurity right, they are surely failing on the tougher challenges."
Facebook shared information about the security incident soon after it was first reported by Krebs on Security.
Facebook said that hundreds of millions of users of Facebook Lite had been impacted, while tens of millions of regular Facebook users were impacted.
Facebook Lite is a version of Facebook popular among people in parts of the world with less connectivity. CNN Business has asked Facebook why users of Facebook Lite were so highly impacted.
In Europe, Facebook is headquartered in Ireland, where it is regulated by the Irish Data Protection Commission. A commission spokesperson told CNN Business that Facebook had informed it of the issue and that it was awaiting further information. The commission currently has several investigations into Facebook's compliance with European data laws ongoing; the company could face fines upwards of $1 billion as a result of those investigations.
- Facebook staff had access to hundreds of millions of people's passwords
- Twitter finds security bug, advises changing passwords
- Millions impacted by Facebook hack
- Facebook staff had concerns about 'sketchy' Cambridge Analytica year before 2016 election
- Facebook bug accesses iPhone's camera while user scrolls through News Feed
- How to check what Facebook hackers accessed in your account
- Hundreds of millions of Facebook records exposed on Amazon cloud servers
- Facebook security breach impacts 50 million users
- Younger Americans less apt to use unique passwords
- New email scam claims to know account passwords