Facebook on Thursday confirmed that it had improperly secured “hundreds of millions” of user’s passwords, leaving them open to be viewed by company employees.
The unsecured passwords were discovered amid a “routine security review in January,” after which Facebook says it fixed the improper storage issue. The company’s internal investigation claimed to find no evidence of password-related impropriety. The major security issue was first reported by security journalist Brian Krebs, who says some Facebook passwords were available for search internally as far back as 2012.
Facebook insists there’s nothing to worry about, even if you were one of the many whose passwords were in the company’s internal database. “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” wrote Pedro Canahuati, Facebook’s VP of Security and Privacy Engineering, in a blog post. TIME has reached out to Facebook for more information about the incident.
That doesn’t mean you won’t be hearing from Facebook if your password was in the database. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” wrote Canahuati.
Still, given that many people follow discouraged password practices and use the same password across many different sites, getting access to a person’s password for one account could compromise their security across other sites, too. Tools like Google’s password checkup extension can help you if you’re curious about whether a password you use may have been compromised.
Facebook says it’s aware of the potential for misuse in other areas, and says it monitors publicly posted databases of stolen credentials to check if any compromised passwords match those of its users. Facebook says it also supports physical security keys, which allow you to secure your account using an actual device resembling a USB flash drive.
What’s most surprising is the company’s suggestions to users concerned about their passwords. While Facebook itself improperly stored the passwords in a readable format, its suggestions — like using two-factor authentication, a complex password, or changing your password entirely — do not necessarily protect against a similar incident from happening again, and puts the onus of securing accounts on its users despite the mistake occurring internally.
More Must-Reads from TIME
- How Kamala Harris Knocked Donald Trump Off Course
- Introducing TIME's 2024 Latino Leaders
- George Lopez Is Transforming Narratives With Comedy
- How to Make an Argument That’s Actually Persuasive
- What Makes a Friendship Last Forever?
- 33 True Crime Documentaries That Shaped the Genre
- Why Gut Health Issues Are More Common in Women
- The 100 Most Influential People in AI 2024
Write to Patrick Lucas Austin at patrick.austin@time.com