Facebook stored millions of user passwords in plain text

Scandal-ridden social network giant Facebook has owned up to accidentally storing hundreds of millions of user passwords in clear text, but says they were not exposed externally.

Facebook's vice president of engineering, security and privacy Pedro Canahuati said the unmasked passwords were found during a routine check of systems.

"This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable," Canahuati said.

Most of the passwords were for users of Facebook Lite, which is designed for regions with slow network connections.

Nevertheless, on top of notifying hundreds of millions of Facebook Lite users about the password snafu, tens of millions on the full version of the social network and tens of thousands of Instagrammers will be alerted as well, Canahuati advised.

Canahuati said that Facebook normally follows best security practices to avoid storing user passwords in plain text.

These include hashing and salting the credentials, and using the scrypt password-based key derivation function.

Facebook also monitors login attempts for unusual locations and unrecognised devices and asks users for further verification if it deems the account access appears to be suspicious in nature.

Users at risk of hacking and account takeover attempts such as politicians, activists and journalists can also register a hardware key for Facebook logins, for additional security.