Skip to Content
Security & privacy

Facebook’s sloppy data protection now affecting Instagram users

Last month, we learned that Facebook had been storing hundreds of millions of users’ passwords in plain text. It was the latest Facebook fail in a string of incidents that show how the company plays fast and loose with its customers’ personal data.

There were the 540 million Facebook records containing personal data found on unsecured servers; hundreds of millions of Facebook users’ passwords stored in plain text and searchable to more than 20,000 Facebook employees; and yesterday’s announcement that the company had “unintentionally uploaded” 1.5 million users’ email contacts without consent.

Now, we’ve learned of another blunder impacting Instagram users.

Instagram users swept up in massive password fiasco

Facebook has quietly admitted that millions of Instagram users’ passwords were among those Facebook had left in plain text. Instagram is owned by Facebook

The passwords were exposed to anyone with access to internal files. Passwords are normally protected with encryption, but for some unknown reason Facebook failed to provide users with necessary security.

Facebook only addressed the issue publicly after it was discovered by Krebs on Security.

The Instagram admission was posted as an update on Facebook’s initial March 21 blog, “Keeping Passwords Secure,” which first acknowledged the issue of the plain text passwords.

The update read, “Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

Facebook didn’t say why it took a full month for it to disclose that Instagram users’ passwords were also compromised. Instagram says it will notify those affected directly.

Facebook said it discovered some passwords were being stored in a readable format in January as part of a routine security review. The company also said the issue has since been fixed and will be notifying everyone whose passwords were found to be stored this way. Thanks!

How to secure your Facebook account

Even though Facebook claims the plain text passwords weren’t seen by anyone outside the company, why would we believe anything it says at this point. We’ve been burned too many times by this dysfunctional company.

That’s why we recommend taking security into your own hands.

Start by changing your Facebook password

To reset your Facebook password, go to Settings >> Security and Login then tap or click on Change Password.

Turn on two-factor authentication

Here’s another layer of security you can employ on your Facebook account — turn on Two-Factor authentication (2FA).

Here’s how you do this: Go to Settings >> Security and Login >> scroll down to Use Two-Factor Authentication. Click Edit >> select the method you want to use. You can pick “Text Message” or “Authentication App.”

One thing to note is, Facebook recently admitted phone numbers provided for two-factor authentication were used for targeted ads. This is troubling because it is yet another indication that Facebook is repurposing its users’ information, phone numbers used for security, nonetheless, for monetary purposes.

Because of this, I recommend using “Authentication App” instead of linking your phone number as your Facebook 2FA gadget. Instead of a text message, you can use an app like Google Authenticator to generate your 2FA login codes.

If you’re an Instagram user and want to know if your password was compromised visit Have I Been Pwned?

Tired of dealing with Facebook’s problems? Click here to learn how to delete your account.

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me