Millions of Facebook Passwords Left Exposed
Facebook says there's no evidence the information was stolen or misused, but here's how to change your password anyway
Update: On April 18, Facebook revealed that it had discovered more passwords stored in a readable format that would have allowed Facebook employees to see them. This latest development increases the company’s estimate of Instagram users affected from “tens of thousands” to “millions.” This article was originally published March 21.
Facebook announced March 20 in a blog post that passwords belonging to “hundreds of millions” of users were stored unencrypted on the company’s servers, where they could have been accessed improperly by Facebook employees.
The company says that it has no evidence that the passwords were stolen or misused and that they weren’t available to anyone outside the company. The problem was discovered in January, according to the blog post.
“We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” the post said.
That will include “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the post said. Facebook Lite is designed to work over slow data connections.
The new incident doesn’t pose much danger to consumer data, according to privacy experts, but it further erodes consumer trust in Facebook’s privacy and security practices.
“This is far from the first privacy and security incident at Facebook within the last year,” says Justin Brookman, director of consumer privacy and technology policy at Consumer Reports. “Software bugs happen, especially at large institutions like Facebook with so many moving parts, but it’s surprising that an issue of this magnitude slipped through for as long as it did.”
What Steps Should You Take Right Now?
Facebook says it will soon start alerting users whose passwords were stored in plain text. There’s no reason to wait.
If you use Facebook or Instagram, it’s a good idea to change your password. To add another layer of defense, activate two-factor authentication.
Once you turn the feature on, the service will send you a verification code—via a text or an app—to confirm your identity anytime you access your account from a new location, device, or browser. That makes it significantly more difficult for someone to break into your account, even if they know your password.
To adjust your Facebook log-in credentials using a computer browser, head to the Privacy Shortcuts page by clicking the question mark icon in the top right corner, then scroll down to change your password and turn on two-factor authentication. To make the same changes in Instagram, open the mobile app, select Settings, and tap Privacy and Security.
CR’s Richter says it’s better to use an app such as Duo Mobile or Google Authenticator for two-factor authentication instead of text messages. Those options are available in the settings for both Facebook and Instagram.
While you’re at it, introduce some friction for would-be hackers by following our guide to better passwords. One tip to get you started: Steer clear of any passwords you’ve used before.
If you really want to protect yourself, many privacy and security experts recommend using a password manager such as 1Password or LastPass, which will generate unique, random passwords for every service you use, and keep track of them for you.
Once you’ve locked down your log-in credentials, you can take even more control of your data by adjusting your privacy settings on Facebook and Instagram.
Editor’s Note: This article has been updated to include additional information from Facebook.
Passing the Password Test
What's your password strategy when it comes to protecting your online accounts? On the "Consumer 101" TV show, a Consumer Reports expert explains what you need to know about password managers.
