Facebook is alerting hundreds of millions of users that it stored their passwords in a plain text, putting the security of many accounts at risk.
Passwords are usually masked in an unreadable format but the social network has admitted hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users may have been affected by the error.
The company said it has fixed the issue since uncovering it in January but the development will still come as a blow.
Facebook is already dealing with a deluge of problems, most recently its handling of live streams following the Christchurch mosque attack and its response to removing videos.
An investigation carried out by the social network showed no evidence that anyone outside Facebook got hold of the passwords, nor were they abused by staff internally, the firm wrote in a blog post.
Pedro Canahuati, Facebook’s vice-president for engineering, security and privacy, said: “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.
“We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
The announcement is the latest in a string of headaches for Facebook chief executive Mark Zuckerberg in recent years, including rampant misinformation spread on the network, breaches of user data and allegations of political manipulation.
In October, Facebook revealed millions of email addresses, phone numbers and other personal user information were compromised during a security breach, affecting as many as 50 million accounts.
Concerned users are being urged to change their password and consider enabling additional security measures such as a security key or two-factor authentication.