Facebook reveals millions of Instagram passwords were stored in plaintext

19 Apr 2019

Image: © annette shaff/Stock.adobe.com

Another horrible picture of a Facebook security blunder develops, and no hip filter can make this one look pretty.

Either by accident or design, Facebook chose one of the busiest days in American politics – the release of the Mueller Report – to reveal that millions rather than thousands of Instagram passwords were stored in plaintext for the social network’s employees to access.

Rather than being a safe place to store data, Facebook and its subsidiary Instagram are pretty much becoming the wild west of data security and a damning case study of how not to manage privacy.

‘We now estimate that this issue impacted millions of Instagram users’

Facebook yesterday (18 April) updated a 21 March blogpost which revealed that it accidentally stored the passwords of hundreds of millions of users of various platforms in plaintext. It now includes a sentence where Facebook admits that millions more Instagram accounts than had originally been reported were affected.

The post on 21 March initially said that hundreds of millions of Facebook Lite users as well as tens of millions of other Facebook users and “tens of thousands” of Instagram users had their data insecurely stored.

But around 7am Pacific Time on 18 April, Facebook added: “Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

Facebook blundering from one crisis to another

The company has stated that there has been no evidence of abuse or misuse of these passwords.

Facebook is feeling the heat from numerous investigations, including the US Department of Justice, and the timing of the update during the release of the Mueller report just produces the wrong kind of optics.

The troubling thing about all of this is a company of Facebook’s stature making the rookie error of storing anything anywhere in plaintext. And passwords especially should be sacrosanct.

If anything, a collection of social media sites that harbour the hopes and dreams of 2.3bn people should be a force for good and a byword for best practice. Be the change you want to see in the world, Facebook!

Instead Facebook is blundering from one data crisis to another; an out-of-control combine harvester processing people’s data like wheat and chaff to fill the coffers of increasingly uneasy investors and confused but pampered employees who are crying out for a moral compass on the matter.

Here’s an idea, Zuckerberg: stop hoovering up so much data. You might be able to do more with less.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years