Facebook — Data Breach
Executive Summary
Facebook disclosed that between 200 million and 600 million user passwords for Facebook, Facebook Lite, and Instagram had been stored in plaintext on internal systems since as early as 2012, searchable by over 20,000 employees. The Irish DPC later fined Meta €91 million in September 2024 for this incident.
What Happened
Facebook stored between 200 million and 600 million user passwords in plaintext on internal systems, with some dating back to 2012. The passwords were searchable by over 20,000 Facebook employees, and access logs showed approximately 2,000 engineers or developers made around nine million internal queries for data containing plaintext passwords. Facebook discovered the issue in January 2019 during a routine security review and disclosed it publicly in March 2019, stating they found no evidence of abuse or improper access by employees.
Who Is Affected
Hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users were affected by this password storage issue. All affected users had their account passwords stored in a readable format accessible to thousands of Facebook employees for potentially years. In September 2024, the Irish Data Protection Commission fined Meta €91 million for this incident.
Why It Matters
This breach represents a fundamental failure in password security, as storing passwords in plaintext violates basic security practices that require passwords to be hashed and salted to make them unreadable. The scale of exposure, potentially affecting one-fifth of Facebook's user base over a seven-year period with access granted to thousands of employees, demonstrates significant security lapses at one of the world's largest social media platforms. The incident adds to a series of privacy and security failures at Facebook that prompted congressional inquiries and government investigations.
What You Should Do
Facebook said it would notify affected users directly but indicated no mandatory password resets would be required. However, affected users should consider changing their Facebook, Facebook Lite, and Instagram passwords as a precautionary measure, especially if they reuse the same password across multiple websites or services. Users should also enable two-factor authentication on their accounts for additional security protection.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources