Well, that’s a heck of a revision. Back in March, as part of a disclosure about Facebook having learned that some user passwords were being stored in plain text and easily searchable by thousands of Facebook employees, the company acknowledged that this included the passwords of “tens of thousands” of Instagram users.
A few weeks after making that initial disclosure in a blog post here, though, Facebook today revised that number to “millions,” not tens of thousands. (Whoops!)
Since that initial blog post was published on March 21, Facebook updated it today to note that “we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”
The social network says its investigation has determined that the affected passwords were not internally abused or improperly accessed. Still, it’s one more black eye for a company that’s been dealt its fair share in recent weeks, with one of the most recent being a deep-dive into the company published on Monday by Wired, titled “15 Months of Fresh Hell Inside Facebook.”
It turned up a number of juicy anecdotes about the company’s approach to all-out growth and privacy, and specifically its top executives’ attitudes to both of those things. Such as Instagram co-founder Kevin Systrom privately speculating to people, just before he and fellow co-founder Mike Krieger decided to abruptly quit, that CEO Mark Zuckerberg was giving him the same Donald Trump treatment of former Attorney General Jeff Sessions. Making him so miserable, in other words, that he’d quit instead of sticking around.
Cybersecurity journalist Brian Krebs, meanwhile, wrote at the time of Facebook’s initial disclosure about the passwords in March that access logs, according to a Facebook insider, showed a couple thousand engineers or developers had made about 9 million internal queries for data elements that contained “plain text user passwords.”
“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, Krebs reported that his source told him. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”
A Facebook engineer did make clear to him the company hadn’t found any instances of someone intentionally looking for passwords, or signs that data had been misused.