Welp, it looks like millions of Instagram accounts were left out in the open for Facebook employees to see.
A full month after Facebook admitted it mistakenly stored hundreds of million of passwords in plaintext where employees could see them, the company quietly added a significant update: that millions of Instagram passwords were also affected.
“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format,” Facebook wrote. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”
The company did not offer an explanation on why it took four weeks for this additional piece of information to be added to its initial disclosure, or why it chose to do so at almost exactly the same time as the entire freaking Mueller report dropped.
SEE ALSO: What the hell is going on with Matthew Lillard’s Instagram account? An investigation.
The initial password issue was only disclosed after KrebsOnSecurity revealed its existence thanks to an anonymous tipster. About 20,000 employees had access to the passwords, according to his sources. Now, we know “millions” of Instagram passwords were also floating around for employees to find, though Facebook says it’s found no evidence of that happening.
But even though Facebook claims nothing nefarious came of the blunder, it’s alarming that the company would be so careless with Instagram passwords. Many Instagram users are already deal with frequent hacking attempts, and users whose accounts are hacked are often unable to get them back because of Instagram’s flawed support system. That so many passwords were exposed doesn’t support the company’s assertions that it cares about its users’ security.
It’s equally troubling that the company would wait for one of the most momentous political events in recent memory to disclose the information and would bury it in a month-old press release. Instagram says it will notify those affected directly, so all users should probably keep an eye out for any emails from Instagram. (And, needless to say, if you do get such an email from Facebook, you should definitely change you password.)