Facebook left millions of Instagram passwords unenecrypted on a server, buries the announcement in an old blog post

Facebook also published the update just before the release of the long-awaited Mueller report - a move that’s likely to reduce the public’s awareness of Facebook’s mistake.


It’s been less than two days since leaked documents showed that Facebook CEO Mark Zuckerberg had been using personal data to gain leverage over business partners. And now Facebook is facing yet another privacy scandal by admitting that millions of Instagram passwords were stored on its servers in a readable format and that thousands of Facebook employees had access to these passwords.

To make matters worse, Facebook buried this admission in an old blog post and released it just before the publication of the highly anticipated Mueller report on alleged Russian election interference.

Facebook usually publishes a new post to the Facebook Newsroom to let users and the media know when a major data breach has occurred. However, this time, instead of publishing a new post to let people know that millions of Instagram passwords had been accidentally stored unencrypted on its servers, Facebook added the following update to an old post about a similar issue from March 21:

“(Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).”

The original post estimated that tens of thousands of Instagram passwords had been stored on Facebook servers in a readable format so today’s update shows that the scale of the problem was much larger than Facebook originally reported.

According to MacRumors, these unencrypted plain text passwords could have been accessed by thousands of Facebook employees. However, Facebook claims that none of these passwords were accessed improperly by employees.

The fact that Facebook buried this update in a blog post that’s nearly a month old isn’t the only concerning aspect of this story. The timing is also rather suspect with Facebook publishing it just before the release of Robert Mueller’s long-awaited report into whether President Trump or members of his campaign colluded with Russia to alter the outcome of the 2016 election. Updating the blog post just before this major news event is likely to reduce the public’s awareness of Facebook’s blunder.

Even by Facebook’s standards, this has been an incredibly turbulent week for the company. Earlier this week, thousands of pages of leaked documents revealed that CEO Zuckerberg was trading sensitive Facebook user data with business partners in order to gain a competitive advantage. And just days before this leak, news broke that Facebook shareholders were attempting to fire Zuckerberg.


Tom Parker

Tom Parker is a head contributor for Reclaim The Net and provides news and analysis on how we can promote free speech, stop censorship, and protect our personal data online. [email protected]