It’s time to change your Facebook (and Facebook-adjacent-apps) password.
Security researcher Brian Krebs on Thursday revealed that “hundreds of millions” of user passwords have been stored in plain text—easily searchable by social network employees—for as long as seven years.
Facebook said it spotted the breach during a routine security review in January (yet kept it a secret for two months, until Krebs forced their hand).
“Our login systems are designed to mask passwords using techniques that make them unreadable,” Pedro Canahuati, VP of engineering, security, and privacy at Facebook, wrote in a blog post.
In security terms, the company “hashes” and “salts” codes, allowing it to replace actual passwords with random, incomprehensible sets of characters.
It’s unclear, then, why so many private keys—between 200 million and 600 million—were exposed to more than 20,000 Facebook employees.
“In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this,” Facebook software engineer Scott Renfro told KrebsOnSecurity.
Citing an anonymous Facebook insider, Krebs reported that access logs showed some 2,000 engineers and developers made approximately 9 million queries for data elements containing plain-text user passwords.
“To be clear, these passwords were never visible to anyone outside of Facebook,” Canahuati confirmed. “We have found no evidence to date that anyone internally abused or improperly accessed them.”
The social network has since fixed the issue, and is notifying anyone whose passwords were stored incorrectly—including Facebook, Facebook Lite, and Instagram users.
It’s always a good idea to switch up your passwords following a security breach. Folks are encouraged to choose strong, complex, and preferably unique phrases, and enable two-factor authentication when possible.
“There is nothing more important to us than protecting people’s information,” Canahuati wrote on the blog. “And we will continue making improvements as part of our ongoing security efforts at Facebook.”
More on Geek.com: