Facebook revealed on Thursday it didn't properly mask the passwords of hundreds of millions of its users and stored them in an internal database that could be accessed by its staff.
The company said it discovered the passwords during a security review in January and launched an investigation. Facebook did not say for how long they had been storing passwords in this way.
It will be notifying hundreds of millions of Facebook users and tens of thousands of Instagram users if their passwords were involved.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," Pedro Canahuati, a Facebook vice president wrote on Thursday.
He added that Facebook typically "masks people's passwords when they create an account so that no one at the company can see them."
The news was first reported by Krebs on Security.