Facebook stored millions of Instagram passwords in a readable format and asked users for their email’s passwords for “verification.”
On 21st March 2018, the social media giant Facebook admitted that it stored passwords of 600 million users including “tens of thousands” of passwords belonging to Instagram users in plain-text which were accessible to over 20,000 employees.
Facebook stored millions of Instagram passwords in plain-text.
Now, Facebook has issued another update regarding the incident from last month revealing that it has found additional logs of Instagram passwords being stored in a “readable” format meaning that the number of leaked Instagram passwords is more than just tens of thousands.
“We now estimate that this issue impacted millions of Instagram users,” said Facebook.
According to Pedro Canahuati, VP Engineering, Security and Privacy at Facebook, there is no evidence that these passwords were “internally abused or improperly accessed.” However, Instagram users impacted by the incident will be notified by the company.
It is worth mentioning that Canahuati did not mention the exact number of Instagram passwords that were exposed to the company’s employees. However, if you have an Instagram account, change your password right now to be on the safe side.
Moreover, use two-factor authentication on every service that you use including Facebook, Instagram, Twitter, and Gmail, etc. In case of suspicious activity change your password again and do not use the same password for other services.
Facebook harvested 1.5 million user email consent without consent.
In another incident, Facebook was once again found playing with user privacy after it was caught harvesting email contacts of 1.5 million users without their consent.
According to Business Insider, from May 2016 and last month, Facebook asked millions of its new users to verify their login email address by sharing its password with the company. Once the user shared their password, Facebook would import the email address without their knowledge or permission.
In total, over 1.5 million users had their email addresses imported after forcing them to share their passwords. In a statement to BI, Facebook acknowledged the issue but claimed that “in some cases, people’s email contacts were also unintentionally uploaded to Facebook when they created their account.”
The company insists that none of these contacts were shared with anyone and they are now being deleted.
“We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings,” said the company.
Earlier this month, private data of 540 million Facebook users were exposed in plain text format. The data included email addresses, passwords, account IDs, identification numbers and even comments and reactions. The database was stored in plain sight without having password protection.