Facebook stored passwords for hundreds of millions of users in plain text, exposing them for years to anyone who had internal access to the files, according to Krebs on Security. User passwords are typically protected with encryption (a process known as hashing), but a string of errors led certain Facebook-branded apps to leave passwords accessible to as many as 20,000 company employees.

Between 200 million and 600 million Facebook users are believed to have been affected, according to Krebs, which first reported the security flaw. Facebook confirmed the issue in a blog post, titled “Keeping Passwords Secure,” and it said the company identified the problem in January as part of a security review. Facebook says it has fixed the issue and will notify everyone affected.

more at theverge.com