Facebook reportedly left passwords stored in plain text since 2012

Facebook is in hot water once again.

The social media giant on Thursday acknowledged having stored hundreds of millions of user passwords in plain text when they should have been encrypted. This followed a report from journalist Brian Krebs on Facebook not encrypting passwords, which said this has been happening "in some cases going back to 2012."

Krebs quoted a Facebook source as saying "between 200 million and 600 million" users have been affected by this. In a blog post, Facebook didn't provide an exact number but said it would notify "hundreds of millions" of affected Facebook Lite users, as well as "tens of millions" of other Facebook users and "tens of thousands" of Instagram users.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

These unencrypted passwords were searchable in a database that could be accessed by 20,000 Facebook employees, Krebs reports. Facebook says it discovered this during a security review in January but found "no evidence to date that anyone internally abused or improperly accessed the passwords."

This is only the latest bit of bad press for the scandal-plagued Facebook, which The New York Times reported last week is under criminal investigation over deals made with other companies over its user's data. Facebook told the Times it is "cooperating with investigators and take those probes seriously." After the company's Thursday revelations, the Times' Mike Isaac quoted a Facebook employee as saying, "working at Facebook is like living the Sideshow Bob stepping on rakes GIF."