Facebook Stored Millions of Unencrypted Instagram Passwords

In March of this year, as you may recall, Facebook announced that it stored hundreds of millions of user passwords in plain text. At the time, Facebook said it would notify “hundreds of millions of Facebook lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” about this.

On April 18, 2019, Facebook made an update to their original Facebook Newsroom post titled “Keeping Passwords Secure” (which was originally posted on March 21, 2019).

Here is what was added:

Since this post was published, we discovered additional logs of Instagram passwords being stored in readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation determined that these stored passwords were not internally abused or improperly accessed.

Personally, I’m wondering just what is going on at Facebook (and Instagram) that is causing it to collect and store user’s passwords in plain text. That’s an obvious safety concern. The number of unencrypted Instagram passwords has jumped from tens of thousands to millions. It is disturbing that Facebook misreported that number.

Not all passwords were stored unencrypted, but millions of passwords were. Why is that happening? To me, it sounds like passwords are not automatically being stored in plain text. If that were the case, then all user’s passwords would have been stored unencrypted. Something, or someone, appears to be selecting certain passwords to store improperly.

Ironically, the original blog post (before Facebook added an update) recommends that users affected by this security issue change their passwords, and to pick strong and complex passwords. That is good advice in general, but I don’t think doing so will protect users from having their unencrypted passwords stored on Facebook’s and Instagram’s servers.