Facebook Stored Hundreds of Millions Passwords in Plain Text, Thousands of Employees Had Access - MacRumors
Skip to Content

Facebook Stored Hundreds of Millions Passwords in Plain Text, Thousands of Employees Had Access

Facebook today announced that during a routine security review it discovered "some user passwords" were stored in a readable format within its internal data storage systems, accessible by employees.

As it turns out, "some user passwords" actually means hundreds of millions of passwords. A Facebook insider told KrebsOnSecurity that between 200 and 600 million Facebook users may have had their account passwords stored in plain text in a database accessible to 20,000 Facebook employees. Some Instagram passwords were also included, and Facebook claims many of the passwords came from Facebook Lite users.

facebooksecurity
Facebook says that there's no "evidence to date" that anyone within Facebook abused or improperly accessed the passwords, but KrebsOnSecurity's source says 2,000 engineers or developers made around nine million internal queries for data elements that contained plain text user passwords.

Facebook employees reportedly built applications that logged unencrypted password data, which is how the passwords were exposed. Facebook hasn't determined exactly how many passwords were stored in plain text, nor how long they were visible.

Facebook plans to notify users whose passwords were improperly stored, and the company says that it has been looking at the ways certain categories of information, such as access tokens, are stored, and correcting problems as they're found.

"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook," reads Facebook's blog post.

Facebook and Instagram users who are concerned about their account security should change their passwords, using unique passwords that are different from passwords used on other sites. Facebook also recommends users enable two-factor authentication.

Popular Stories

Apple Event Logo

Apple Just Released a New Product

Thursday July 2, 2026 8:04 am PDT by
Apple's first product release of summer 2026 occurred this week, but do not get too excited, as it is merely the Beats Solo Buds in a new color. Beats Solo Buds are now offered in orange through Best Buy in the U.S., with availability set to expand to 7-Eleven stores in Japan on July 4. Apple already offered orange Solo Buds in India for free with the purchase of an iPhone 15 or iPhone 15 ...
iphone 17 ceramic shield

iPhone 18 With 9GB RAM Still Won't Support Two New iOS 27 Features

Friday July 3, 2026 12:10 pm PDT by
The lower-end iPhone 18 and iPhone 18e will be equipped with 9GB of RAM, up from 8GB in the iPhone 17 and iPhone 17e, according to supply chain analyst Ming-Chi Kuo. In a social media post, Kuo said the 1GB increase in RAM will ensure that Apple Intelligence features continue to run smoothly on the pair of devices. The higher-end iPhone 18 Pro, iPhone 18 Pro Max, and foldable "iPhone Ultra...
iPhone X 2022 Upload

'iPhone Ultra' Likely to 'Repeat the iPhone X Story'

Sunday July 5, 2026 10:28 am PDT by
Apple will likely "repeat the iPhone X story" by unveiling its foldable iPhone at the same time as the iPhone 18 Pro and iPhone 18 Pro Max, but starting foldable iPhone pre-orders at a later date, according to analyst Ming-Chi Kuo. Kuo today said manufacturing challenges have limited early production of the foldable iPhone, which will reportedly be named iPhone Ultra. As a result, he...

Top Rated Comments

dannyyankou Avatar
95 months ago
Delete Facebook and delete your accounts
Score: 104 Votes (Like | Disagree)
wesleypitts Avatar
95 months ago
How is this company not being criminally prosecuted?
Score: 84 Votes (Like | Disagree)
JimmyBanks6 Avatar
95 months ago
While many are saying "is anyone surprised" I actually am at this.

This is one of the largest corporations in the world, whose sole business is its internet applications, and they ignored one of the most basic security expectations of hashing a password?

That is absolutely surprising and shameful and there is no excuse from them that is acceptable.
Score: 47 Votes (Like | Disagree)
AngerDanger Avatar
95 months ago
Consider my mind blown.

Score: 35 Votes (Like | Disagree)
95 months ago
I'm shocked at Facebook's lack of security!
Said nobody.
Score: 34 Votes (Like | Disagree)
johnalan Avatar
95 months ago
Disgusting.


Use privacy enhancing tech or pay the price, in future privacy will be currency.

* GPG
* Veracrypt
* Monero
* VPN
* DuckDuckGo
* Pi.hole
Score: 31 Votes (Like | Disagree)