Skip to main content

A Facebook, Instagram bug exposed millions of passwords to its employees


Facebook software meant to disguise user passwords from employee access failed, leaving millions of passwords visible to the network’s employees,  the company said on Thursday, March 21. The network said the bug was discovered in a routine review in January and has since been corrected. The bug exposed passwords for users on Facebook, Facebook Lite, and Instagram.

Facebook hasn’t found any evidence that the passwords were compromised externally — the bug only exposed plain text passwords for the company’s employees, according to Facebook. The company also said they haven’t found evidence of internal employees abusing the information. Facebook didn’t say why it delayed telling users after finding the bug in January.

Passwords on Facebook are meant to be encrypted. The network hashes the password, allowing the system to recognize the correct password without storing the data in plain text. To employees working on Facebook’s backend, passwords should look like jumbled characters that can’t be reverse engineered to display the actual password.

Facebook says they will notify the users that were affected by the bug. The company estimates hundreds of millions of Facebook Lite users were affected, the lightweight Facebook app designed for slower connections. Tens of millions of other Facebook users could also have compromised passwords, along with tens of thousands of Instagram users.

Facebook says that hashing is used with other procedures for password protection, like recognizing when a user signs in with a different device and prompting verification. The network says that they also check for other password breaches since users sometimes use the same passwords across multiple websites.

“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,” Pedro Canahuati, Facebook’s vice president of engineering, security, and privacy, wrote in a blog post. “There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.”

Facebook says concerned users can reset their password for both Facebook and Instagram inside the settings for each account. The company also suggests using security keys and two-factor authentication. (Facebook, however, will use your phone number for more than two-factor authentication, so we recommend using a third-party authentication app instead of a phone number.)

For Facebook, the password bug is just another bullet point in the network’s growing list of data issues following the Cambridge Analytica scandal. CEO Mark Zuckerberg recently shared his vision for moving toward a more privacy-focused network following the increased scrutiny over the company’s data practices.

Editors' Recommendations

Hillary K. Grigonis
Hillary never planned on becoming a photographer—and then she was handed a camera at her first writing job and she's been…
Instagram has finally fixed the Stories sound bug in the latest version of its iPhone app
Closeup of the Instagram app icon.

Look, we all use Instagram in situations where we probably shouldn't. We open the app and scroll through the feed or tap through Stories spontaneously -- even when we're around other people and need to do so silently. That used to not be much of a problem -- on the iPhone, just keep your phone's mute switch flipped down, and Instagram stays silent. Except, for the last week, that hasn't been the case.

No, it's not just you: For a week now, Instagram keeps playing sound in Stories, even when your iPhone is otherwise muted. Frustratingly, if you mute your phone while in the Instagram app, it will stop the sound, but the next Story you load or video you scroll past will go right back to blaring out of your speakers. And y'know, a lot of the audio on Instagram isn't particularly subtle (thanks, TikTok).

Read more
Meta confirms it’s making a BeReal clone for Instagram
Turned on smartphone with Instagram app icon on its screen.

Meta has confirmed it is testing a BeReal clone for Instagram, called IG Candid.

In case you're unfamiliar with BeReal, it's a relatively new app that sends you a notification at a random time once a day to take a simultaneous selfie and rear-facing photo showing what you're doing within two minutes. Going by what frequent leaker and mobile developer Alessandro Paluzzi tweeted out, IG Candid works the same way.

Read more
You can now use the Add Yours sticker on Reels for Facebook and Instagram
A series of three mobile screenshots on a gray background showing the new Add Yours sticker for Facebook Reels.

As of today, Facebook and IG creators have six new features they can use for their Reels content. But of the six, the most intriguing feature is support for a sticker prompt that was first used and popularized in Instagram Stories.

Meta announced via a Facebook video post that, in addition to all of its other new Reels-focused features, it would now offer support for its Add Yours sticker prompt in Reels for both Instagram and Facebook.

Read more