This article was published on April 18, 2019

Facebook exposed millions more Instagram passwords than we realized

Facebook exposed millions more Instagram passwords than we realized

Facebook today revealed it’d discovered millions of improperly secured passwords on its server. So, you know… business as usual.

Facebook revealed in March it’d discovered a cache of Facebook passwords being stored in plain text form — meaning several thousand Facebook employees who had access could have read them at any time. The company stated then that the passwords included those of “hundreds of millions of Facebook Lite users” and only (only?) “tens of thousands of Instagram users.”

The company today updated the same post with this: “Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users.” I’m not saying updating an old post in lieu of making a new one was an attempt to fly under the radar — but I am saying, if that was the case, it failed miserably.

It’s also telling it dropped the same day that the Department of Justice released the Mueller report, the findings of special counsel Robert Mueller III in the investigation of interference in the 2016 US Presidential election. Unluckily for Facebook, we’re capable of being passionate about events of extreme political importance and our account security.

This news comes mere hours after the revelation that Facebook uploaded the email contacts of almost 2 million users without their permission. My colleague Ivan Mehta jokingly called it “Facebook’s Daily Screw-up,” but by now we have enough material to make that a real thing, easily.

I’m not sure anyone can expect anything more from Facebook at this point. Security researcher Brian Krebs estimated in March that Facebook had been storing passwords in this way since 2012. By now, we should all just keep any passwords even tangentially connected with our Facebook and Instagram accounts on a weekly flip schedule. Guard them with the zealousness with which you’d guard the nuclear football, because clearly Facebook isn’t going to.

Pedro Canahuati, Facebook’s VP of Engineering, Security and Privacy, said there’s no evidence the passwords were ever accessed or misappropriated, which is something. It’s probably still a good idea to go change your own, just to be safe.

TNW Conference 2019 is coming! Check out our glorious new location, inspiring line-up of speakers and activities, and how to be a part of this annual tech bonanza by clicking here.

Also tagged with