Instagram — Data Breach
Executive Summary
Facebook disclosed that millions of Instagram passwords had been stored in plaintext on internal systems since as early as 2012, accessible to over 20,000 employees via internal search tools. The initial disclosure mentioned Facebook passwords only; Instagram was added in an update weeks later, with the number of affected Instagram accounts eventually revised upward to millions.
What Happened
Facebook disclosed on March 21, 2019 that it had stored millions of Instagram passwords in plaintext on internal systems, accessible to over 20,000 employees through internal search tools. The issue dated back as far as 2012 and affected hundreds of millions of Facebook users and tens of millions of other Facebook users in addition to Instagram accounts. Facebook initially reported tens of thousands of Instagram users were affected, but later updated this figure to millions after discovering additional logs. Access logs showed approximately 2,000 engineers or developers made around nine million internal queries for data containing plaintext passwords.
Who Is Affected
Millions of Instagram users were affected, along with hundreds of millions of Facebook Lite users and tens of millions of other Facebook users. The passwords were stored in plaintext and accessible to over 20,000 Facebook employees, though Facebook stated it found no evidence of internal abuse or improper access. Facebook planned to notify affected users but did not require password resets.
Why It Matters
This breach represents a fundamental failure in security practices, as storing passwords in plaintext violates basic industry standards for protecting user credentials. The scale is significantly larger than similar incidents at GitHub and Twitter, both in the number of affected users and the duration of exposure spanning seven years. The incident also raises concerns about internal access controls, given that thousands of employees had the ability to view user passwords.
What You Should Do
If you received a notification from Facebook or Instagram about this incident, change your password immediately to a strong, unique password not used on other services. Even if you were not notified, consider changing your Instagram and Facebook passwords as a precaution, especially if you use the same password on other websites or services. Enable two-factor authentication on your Instagram and Facebook accounts to add an additional layer of security beyond just your password.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources