Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees, in some cases going back to 2012, according to website KrebsOnSecurity.
The report says Facebook is investigating the breach and has so far found no indication that employees have abused access to this data.
An anonymous senior Facebook employee is alleged to have told the website that the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long.
The insider is also quoted as saying that access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to divulge specific details, such as the number of Facebook employees who could have accessed the data.
Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.