Facebook users may want to consider changing their passwords, even if the company isn’t initiating a password reset after it acknowledged it left hundreds of millions of passwords exposed to internal employees.
Facebook confirmed on Thursday that some passwords were stored in a readable, unencrypted format, but said the issue had been fixed. The company also said there was no evidence that the passwords had been accessed by anyone outside of the company, or improperly accessed by Facebook employees. The issue was discovered during a security review in January, according to a blog post from Pedro Conahuati, vice president of engineering, security and privacy.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” he wrote.
Facebook said it plans to send notifications to anyone whose passwords were stored in this manner, but it won’t require they be reset. Conahuati said that includes “hundreds of millions” of users of Facebook Lite, a barebones app that uses less data, and is popular in places with low connectivity were affected. Tens of millions of Facebook users, and tens of thousands of Instagram users were also affected, he said.
While Facebook isn’t initiating a reset, security experts tend to err on the side of caution after a password has been exposed, and advise immediately changing it. Here’s how to change yours:
If you don’t know your password (or are already logged out of the social network), you can simply choose “forgot password” on the login page, and your password will be reset, with follow-up instructions sent to your email address.
Or if you are already logged into the Facebook website, click the inverted triangle in the upper-right corner of the blue toolbar. Next, choose “Settings,” and then “Security and Login” from the menu on the left side of the page. Scroll down the the “Change Password” option. Click edit, then enter your old password, and the new one you want to use, and then click “Save Changes.”
To change your password using the Facebook mobile app, tap on the hamburger icon (it looks like three horizontal lines) on the bottom right of the screen. Then scroll down to “Settings & Privacy” and tap on “Settings.” Then you’ll see the “Security and Login” option, which contains the setting for changing passwords.
