Click to Skip Ad
Closing in...

Facebook now says ‘millions’ of Instagram passwords were exposed, not ‘tens of thousands’

Published Apr 18th, 2019 3:57PM EDT
Facebook security
Image: Simon Belcher/imageBROKER/REX/Shutterstock

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Well, that’s a heck of a revision. Back in March, as part of a disclosure about Facebook having learned that some user passwords were being stored in plain text and easily searchable by thousands of Facebook employees, the company acknowledged that this included the passwords of “tens of thousands” of Instagram users.

A few weeks after making that initial disclosure in a blog post here, though, Facebook today revised that number to “millions,” not tens of thousands. (Whoops!)

Since that initial blog post was published on March 21, Facebook updated it today to note that “we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”

The social network says its investigation has determined that the affected passwords were not internally abused or improperly accessed. Still, it’s one more black eye for a company that’s been dealt its fair share in recent weeks, with one of the most recent being a deep-dive into the company published on Monday by Wired, titled “15 Months of Fresh Hell Inside Facebook.”

It turned up a number of juicy anecdotes about the company’s approach to all-out growth and privacy, and specifically its top executives’ attitudes to both of those things. Such as Instagram co-founder Kevin Systrom privately speculating to people, just before he and fellow co-founder Mike Krieger decided to abruptly quit, that CEO Mark Zuckerberg was giving him the same Donald Trump treatment of former Attorney General Jeff Sessions. Making him so miserable, in other words, that he’d quit instead of sticking around.

Cybersecurity journalist Brian Krebs, meanwhile, wrote at the time of Facebook’s initial disclosure about the passwords in March that access logs, according to a Facebook insider, showed a couple thousand engineers or developers had made about 9 million internal queries for data elements that contained “plain text user passwords.”

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, Krebs reported that his source told him. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

A Facebook engineer did make clear to him the company hadn’t found any instances of someone intentionally looking for passwords, or signs that data had been misused.

Andy Meek Trending News Editor

Andy Meek is a reporter based in Memphis who has covered media, entertainment, and culture for over 20 years. His work has appeared in outlets including The Guardian, Forbes, and The Financial Times, and he’s written for BGR since 2015. Andy's coverage includes technology and entertainment, and he has a particular interest in all things streaming.

Over the years, he’s interviewed legendary figures in entertainment and tech that range from Stan Lee to John McAfee, Peter Thiel, and Reed Hastings.