Skip to main content

A Facebook, Instagram bug exposed millions of passwords to its employees

Facebook

Facebook software meant to disguise user passwords from employee access failed, leaving millions of passwords visible to the network’s employees,  the company said on Thursday, March 21. The network said the bug was discovered in a routine review in January and has since been corrected. The bug exposed passwords for users on Facebook, Facebook Lite, and Instagram.

Facebook hasn’t found any evidence that the passwords were compromised externally — the bug only exposed plain text passwords for the company’s employees, according to Facebook. The company also said they haven’t found evidence of internal employees abusing the information. Facebook didn’t say why it delayed telling users after finding the bug in January.

Passwords on Facebook are meant to be encrypted. The network hashes the password, allowing the system to recognize the correct password without storing the data in plain text. To employees working on Facebook’s backend, passwords should look like jumbled characters that can’t be reverse engineered to display the actual password.

Facebook says they will notify the users that were affected by the bug. The company estimates hundreds of millions of Facebook Lite users were affected, the lightweight Facebook app designed for slower connections. Tens of millions of other Facebook users could also have compromised passwords, along with tens of thousands of Instagram users.

Facebook says that hashing is used with other procedures for password protection, like recognizing when a user signs in with a different device and prompting verification. The network says that they also check for other password breaches since users sometimes use the same passwords across multiple websites.

“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,” Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy, wrote in a blog post. “There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.”

Facebook says concerned users can reset their password for both Facebook and Instagram inside the settings for each account. The company also suggests using security keys and two-factor authentication. (Facebook, however, will use your phone number for more than two-factor authentication, so we recommend using a third-party authentication app instead of a phone number.)

For Facebook, the password bug is just another bullet point in the network’s growing list of data issues following the Cambridge Analytica scandal. CEO Mark Zuckerberg recently shared his vision for moving toward a more privacy-focused network following the increased scrutiny over the company’s data practices.

Editors' Recommendations

Hillary K. Grigonis
Hillary never planned on becoming a photographer—and then she was handed a camera at her first writing job and she's been…
Instagram and Facebook down? You’re not alone
Turned on smartphone with Instagram app icon on its screen.

Thursday morning. The work week is almost over, the weekend is just around the corner ... and that also apparently means that you can't use Instagram or Facebook. At the time of publication on Thursday, October 27, both Instagram and Facebook appear to be down.

Looking at Down Detector, reports for the outage spiked around 9:40 a.m. with 2,000+ reports. For Facebook, 65% of users are having issues with the website, another 29% are having problems with the app, and 6% are reporting issues with their feed/timeline.

Read more
Instagram has finally fixed the Stories sound bug in the latest version of its iPhone app
Closeup of the Instagram app icon.

Look, we all use Instagram in situations where we probably shouldn't. We open the app and scroll through the feed or tap through Stories spontaneously -- even when we're around other people and need to do so silently. That used to not be much of a problem -- on the iPhone, just keep your phone's mute switch flipped down, and Instagram stays silent. Except, for the last week, that hasn't been the case.

No, it's not just you: For a week now, Instagram keeps playing sound in Stories, even when your iPhone is otherwise muted. Frustratingly, if you mute your phone while in the Instagram app, it will stop the sound, but the next Story you load or video you scroll past will go right back to blaring out of your speakers. And y'know, a lot of the audio on Instagram isn't particularly subtle (thanks, TikTok).

Read more
Meta confirms it’s making a BeReal clone for Instagram
Turned on smartphone with Instagram app icon on its screen.

Meta has confirmed it is testing a BeReal clone for Instagram, called IG Candid.

In case you're unfamiliar with BeReal, it's a relatively new app that sends you a notification at a random time once a day to take a simultaneous selfie and rear-facing photo showing what you're doing within two minutes. Going by what frequent leaker and mobile developer Alessandro Paluzzi tweeted out, IG Candid works the same way.

Read more