Mar 21, 2019 - Technology

Facebook stored hundreds of millions of user passwords in plain text

Mark Zuckerberg bites his lip.

Facebook's CEO Mark Zuckerberg. Photo: Christophe Morin/IP3/Getty Images

For years, Facebook has been storing hundreds of millions of users’ passwords exposed in plain text in an internal database that is searchable by tens of thousands employees, Brian Krebs of KrebsOnSecurity reports.

Why it matters: Although Facebook says it has no evidence that the database was abused by employees, this is just the latest example in a string of controversies over the company's handling of users’ information and privacy. In the last few months alone, Facebook has come under fire for sharing user data — including private messages — with other businesses and allowing users to be looked up by their phone numbers.

The big picture: Facebook is on the cusp of integrating several apps with messaging capabilities into 1 communications structure, which has raised questions among privacy advocates and lawmakers alike over Facebook's shaky track record on privacy.


  • Facebook found the security issue in January during a “routing security review,” the company's VP of engineering, security and privacy wrote in a blog post. In some cases the exposure of the passwords goes back as far as 2012.
  • Facebook will be notifying the users whose passwords were affected.
  • By the numbers: 20,000 employees could search the database and between 200 million and 600 million users had their passwords stored in plain text, per Krebs.
  • Security-aware companies typically store passwords in encrypted or otherwise obscured formats that don't allow them to be read, even by their own employees.
Go deeper