Facebook Inc. said Thursday that a security incident that exposed Instagram passwords internally was significantly worse than first thought.
After announcing in March that a security review had found that “tens of thousands” of Instagram users’ passwords had been wrongly stored in plain text, Pedro Canahuati, Facebook’s vice president of engineering, security and privacy, said Thursday that the issue is now estimated to have affected “millions” of Instagram users.
“We will be notifying these users as we did the others,” Canahuati wrote Thursday in a blog post. “Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”
Typically, Facebook and Instagram passwords are masked on the company’s internal servers so that not even Facebook employees can see them. In March, Facebook said the exposed passwords had been stored in logs accessible to some internal engineers and developers, and that the issue had been fixed.
Facebook FB, -0.28% did not specify Thursday how many millions of Instagram users were affected, and said the additional information was discovered “only recently.”
The updated information was added to a month-old blog post Thursday morning, shortly before the Mueller report was made public in Washington, leading someonsocialmediato speculate that Facebook was trying to play down the news.
“This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way. There is no evidence of abuse or misuse of these passwords,” a Facebook spokesperson said via email.
In the original March announcement, Facebook said the password issue also affected “hundreds of millions of Facebook Lite users,” and “tens of millions of other Facebook users,” and that those users, too, would be notified of the incident.
The password issue is the latest in a series of privacy-related incidents that have plagued Facebook in the past few years, most notably the Cambridge Analytica data scandal, in which personal data from 87 million users was used without their consent. On Wednesday, Reuters reported Facebook had “unintentionally uploaded” email contacts of 1.5 million new users since March 2016.
Facebook shares, though, have been nearly impervious to bad news in recent months — they rose slightly Thursday and are up 36% year to date, compared with the S&P 500’s SPX, +0.16% 16% gain this year.