Last month, Facebook revealed that millions of Instagram and Facebook passwords were stored in plaintext and were accessible by engineers. Now, the company has issued an update on the situation, revealing that the situation is worse than it originally stated.
As first noted by TechCrunch, Facebook today updated its blog post from March 21st about the incident. The company says that it has discovered “additional logs of Instagram passwords” that were stored in a readable format. In terms of scale, Facebook says this issue affected “millions of users.”
On the flip side, Facebook adds that its investigation determined that these passwords were not “abused or improperly accessed.” Nonetheless, affected users will be notified by Instagram and instructed to change their passwords.
Here’s Facebook’s full update on the situation:
“We discovered additional logs of Instagram passwords being stored in a readable format,” the company said. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”
Last month, Facebook said that it found through a “routine security review” that some user passwords were being stored in a readable format within our internal data storage systems. Today’s update on the situation, however, paints a much darker picture – revealing that millions of Instagram users were affected by the security lapse.
It still seems that the passwords were not accessible outside of Facebook and Instagram employees. Last month, the company said that 2,000 engineers and developers could have accessed the passwords.
As always with an incident like this, you’ll want to change your Instagram and Facebook credentials just to be safe, even if you don’t hear from Instagram that you were technically affected. Furthermore, this is yet another example of why you should use password management software like 1Password and LastPass to keep track of your credentials, and avoid using the same passwords across multiple services.