The social media giant first gave notice of its mistake in a March 21 blog post, titled "Keeping Passwords Secure." The post was written by Pedro Canahuati, the company's vice president of engineering, security and privacy, and focused on Facebook's previous announcement that it had mishandled millions of Facebook and Instagram passwords, storing them in a "readable format within our internal data storage systems."
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," reads the post. "We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users."
Now, less than a month after that post was published, Facebook has issued an update, stating that it has since found additional Instagram passwords stored incorrectly on servers. Rather than the "tens of thousands" it previously said were impacted, the platform is now stating that the mishap affected millions of Instagram users.
"Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format," reads the April 18 update. "We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others."
"Our investigation has determined that these stored passwords were not internally abused or improperly accessed," it goes on to claim.
Facebook initially discovered the error in January when it was conducting a routine security review. According to website Krebs on Security, unprotected passwords were "searchable by more than 20,000 Facebook employees," and some archives dated back to 2012.
A source familiar with the matter previously told the website prior to the March announcement that "the legal people" at Facebook were "more comfortable" with reporting lower numbers, and that they were "working on an effort to reduce that number even more by only counting things we have currently in our data warehouse."
This latest development comes as federal prosecutors are conducting a criminal investigation into Facebook's sales of user data to other tech companies. The New York Times reported in March that at a grand jury in New York had subpoenaed documents from at least two well-known companies.