Facebook on Thursday confirmed that it had improperly secured “hundreds of millions” of user’s passwords, leaving them open to be viewed by company employees.
The unsecured passwords were discovered amid a “routine security review in January,” after which Facebook says it fixed the improper storage issue. The company’s internal investigation claimed to find no evidence of password-related impropriety. The major security issue was first reported by security journalist Brian Krebs, who says some Facebook passwords were available for search internally as far back as 2012.
Facebook insists there’s nothing to worry about, even if you were one of the many whose passwords were in the company’s internal database. “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” wrote Pedro Canahuati, Facebook’s VP of Security and Privacy Engineering, in a blog post. TIME has reached out to Facebook for more information about the incident.
That doesn’t mean you won’t be hearing from Facebook if your password was in the database. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” wrote Canahuati.
Still, given that many people follow discouraged password practices and use the same password across many different sites, getting access to a person’s password for one account could compromise their security across other sites, too. Tools like Google’s password checkup extension can help you if you’re curious about whether a password you use may have been compromised.
Facebook says it’s aware of the potential for misuse in other areas, and says it monitors publicly posted databases of stolen credentials to check if any compromised passwords match those of its users. Facebook says it also supports physical security keys, which allow you to secure your account using an actual device resembling a USB flash drive.
What’s most surprising is the company’s suggestions to users concerned about their passwords. While Facebook itself improperly stored the passwords in a readable format, its suggestions — like using two-factor authentication, a complex password, or changing your password entirely — do not necessarily protect against a similar incident from happening again, and puts the onus of securing accounts on its users despite the mistake occurring internally.