Facebook is investigating a number of security failures that led to it storing some user passwords in plain text that was searchable by employees, with one insider telling KrebsOnSecurity that the number of affected users was between 200 million to 600 million.
The failings were allegedly caused by employees building applications that logged unencrypted password data for Facebook users then stored it in plain text on internal company servers. The passwords were reportedly left searchable by more than 20,000 employees, with inquiries finding plain text user passwords dating back to 2012.
"The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds" of affected users, the source has stated. "Right now, they're working on an effort to reduce that number even more by only counting things we have currently in our data warehouse."
Scott Renfro, a software engineer at Facebook, told the publication that the social media giant was not ready to talk about the specific numbers. He noted that Facebook planned to inform affected users but added that no password resets would be required.
"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data," Renfro stated. "In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this. We want to make sure we're reserving those steps and only force a password change in cases where there's definitely been signs of abuse."
Facebook added in a written statement that the company intends to notify "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users".
The news follows a number of data scandals that have plagued the social media firm for the last year, most prominently the Cambridge Analytica scandal in which 50 million users' data was shared by Facebook. It was then revealed in June and December 2018 that the social media giant had given Amazon, Spotify, Microsoft, Netflix, Sony and others unconsented access to data, among various other controversies.