Facebook is no stranger to security blunders. Last month, the company confirmed it had stored millions of Facebook passwords in plain text. However, Facebook assured people that only “tens of thousands” of Instagram users were affected.

Now, Facebook is changing its tune. On Thursday, the company updated the blog post where it had originally confirmed the breach, writing:

(Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).


Going from the original “tens of thousands” to “millions” is not a small leap. According to the Krebs on Security report that first exposed Facebook’s error, the passwords were accessible to over 20,000 Facebook employees.

“This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way,” a Facebook spokesperson told The Verge.

Facebook said it would notify all users who were impacted, including the ones the company just discovered. The company’s post still maintains that nobody outside of Facebook had access to the passwords and there are no signs of abuse.

The company hasn’t made any official recommendations for people to change their passwords on Facebook or Instagram, but it’s probably a smart thing to do. If you haven’t done so already, you may want to consider enabling two-factor authentication.