Facebook admits that it severely underreported a bug that stored Instagram passwords in plaintext. Last month, the company reported that “tens of thousands” of the platforms user's were affected, but new logs suggest it was in the millions.
“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format,” says the social media giant. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”
As before, Facebook says it has no evidence of the misuse of these passwords. A former admittance of improperly stored Facebook passwords puts the readable number at hundreds of millions.
However, it's worth noting that these details were allegedly searchable by 20,000 Facebook employees. Krebs On Security says 2,000 engineers of developers “made approximately nine million internal queries for data elements that contained plaintext user passwords”.
“We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Facebook's Renfro assured the publication. “In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this.”
Worrying PR Tactics
Regardless of the risk, a major concern is Facebook's selective publication of the update just before the long-awaited Mueller report went live. Previously, the company has launched a tool to inform users of exposure to Russian Propaganda just before Christmas (via CNN). The initial announcement of the tool was the day before Thanksgiving.
The company also released a report about its failure to prevent political division tactics the night before the US midterm election. Thankfully, it's trivial to keep an eye on Facebook's announcements via RSS these days, so media outlets will always pick it up. It's just a matter of whether users will see them.
It's important that as many users see vital security updates as possible. Facebook doesn't appear to be recommending a password change, but it's better to be safe than sorry. Microsoft is another company to under-report security issues recently, first implying its Outlook breach didn't contain emails, then going back on the statement.