Facebook Did Not Securely Store Passwords. Here’s

SAN FRANCISCO — Facebook said on Thursday that millions of user account passwords had been stored insecurely, potentially allowing employees to gain access to people’s accounts without their knowledge.

The Silicon Valley company publicized the security failure around the same time that Brian Krebs, a cybersecurity writer, reported the password vulnerability. Mr. Krebs said an audit by Facebook had found that hundreds of millions of user passwords dating to 2012 were stored in a format known as plain text, which makes the passwords readable to more than 20,000 of the company’s employees.

Facebook said that it had found no evidence of abuse and that it would begin alerting millions of its users and thousands of Instagram users about the issue. The company said it would not require people to reset their passwords.

The security failure is another embarrassment for Facebook, a $470 billion colossus that employs some of the most sought-after cybersecurity experts in the industry. It adds to a growing list of data scandals that have tarnished Facebook’s reputation over the last few years. Last year, amid revelations that a political consulting firm improperly gained access to the data of millions, Facebook also revealed that an attack on its network had exposed the personal information of tens of millions of users.

In response, the company has repeatedly said it plans to improve how it safeguards people’s data.

“There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook,” Pedro Canahuati, Facebook’s vice president of engineering in security and privacy, said in a blog post on Thursday.

Here’s a rundown of what you need to know about the password vulnerability and what you can do.

What’s the problem?

Storing passwords in plain text is a poor security practice. It leaves passwords wide open to cyberattacks or potential employee abuse. A better security practice would have been to keep the passwords in a scrambled format that is indecipherable.

Facebook said it had not found evidence of abuse, but that does not mean it did not occur. Citing a Facebook insider, Mr. Krebs said access records revealed that 2,000 engineers or developers had made nine million queries for data that included plain-text user passwords.

A Facebook employee could have shared your password with someone else who would then have improper access to your account, for instance. Or an employee could have read your password and used it to log on to a different site where you used the same password. There are plenty of possibilities.