Skip to main content

Security Advisory: Facebook stored plain text user passwords on their internal servers

Release Date: 22 Mar 2019 3474 Views

Recently, Facebook discovered that there were hundreds of millions account passwords stored in plain text on their internal company servers, which means that these passwords were searchable and readable by over 20,000 Facebook employees. The impact of this incident including hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.


Facebook reported the issue has been fixed and they will notify the affected users. Up to the current investigation, Facebook indicated that there was no evidence showed that internal employees have abused access to this data and no passwords were exposed outside the company. However, the related data elements have been accessed by their internal developers. HKCERT urges the public to secure and enhance the protection of your Facebook and Instagram account immediately:


  • Change your password of Facebook and Instagram account, and do not reuse the same password across other online services.
  • Use strong password for all your accounts. And you can consider using password manager service to better manage your passwords.
  • Enable 2-factor authentication to enhance the login security.
  • Enable "Get alerts about unrecognised logins" to get notifications when encountering unauthorized login attempts to your account.