SAN JOSE, Calif. (CN) – Facebook continues to be hounded by privacy issues, this time acknowledging Thursday it’s been storing millions of user passwords in a format plainly readable to thousands of its engineers and employees in violation of the basic standards of computer privacy.
The social media network said the passwords were never accessible to anyone outside the company, but cybersecurity experts say passwords should be encrypted to prevent the potential for abuse.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” Facebook said in a statement Thursday afternoon.
The storage of passwords in plain text instead of encrypted form meant they were plainly visible to thousands of Facebook employees dating back several years, by some accounts to 2012.
“The silver lining on the cloud is that Facebook hasn’t seen any evidence that any employees have abused access to the password data – but frankly, how would they know for sure?” wrote cybersecurity expert Graham Cluley on Thursday.
The story was first reported by independent journalist Brian Krebs who talked to an anonymous security professional at Facebook who said employees built applications that logged password data but failed to properly encrypt them.
Facebook said it will notify users potentially affected by the security oversight.
“We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” Facebook said. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
While it remains unclear if the oversight has directly affected any of the 2.2 billion worldwide users of the social media platform, it marks yet another setback for the company.
Last week, The New York Times reported federal prosecutors are scrutinizing several large deals Facebook made with other technology companies as part of a criminal investigation into the company’s data privacy practices.
Also this month, Facebook came under fire for another security blunder: Making phone numbers, which are often used in two-factor authentication processes, visible and allowing people to search for friends via phone numbers.
Facebook has attempted to distance itself from security oversights in recent weeks while charting a course away from a business model that requires it to use the data gathered about its users in targeted advertising and other consumer-related enterprises.
Last week, CEO Mark Zuckerberg unveiled a new “privacy-focused vision” for the company that prizes private communication through its applications over public sharing.
“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” the company said on Thursday.
But critics of the company’s ability to guard user data remain unimpressed.
“They keep letting you down, and you’re not learning the lesson,” Cluley said, urging readers to delete their accounts.