Facebook stored up to 600 million user account passwords without encryption and viewable as plain text to tens of thousands of company employees, according to a report Thursday by cybersecurity journalist Brian Krebs.
Facebook confirmed the report in a blog post. Facebook shares were down less than 1 percent Thursday. The Irish Data Protection Commission, which administers the European Union's General Data Protection Regulation, or GDPR, also said Thursday that Facebook had reached out over the issue: "We are currently seeking further information," the commission said in a statement.
The 600 million users represents a significant portion of Facebook's user base of 2.7 billion people. The company said Thursday it planned to start notifying those affected so they could change their passwords.
"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems," Facebook said in a statement. "This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."
Facebook's blog post did not say how many users were affected.
The incidents date back to as early as 2012, according to the report. A Facebook software engineer named Scott Renfro was quoted by Krebs as saying the company hasn't found any misuse of the data in question and that "there was no actual risk that's come from this."
Facebook, however, has been under intense scrutiny due to several years of privacy and security scandals that have earned the company criticism from customers and inquiries and fines from several regulatory agencies, particularly in the European Union.
But Facebook's scandals haven't significantly dented the company's count of active daily users, which rose last quarter despite an extended social media campaign by Facebook critics encouraging privacy-minded customers to delete their accounts.
This incident will undoubtedly trigger reviews under GDPR, which allows for only a 72-hour notification window for those affected by a privacy breach and demands companies store passwords securely. The law is somewhat ambiguous as to how to precisely define "appropriate levels of security," but it is likely the commission would consider plain text passwords that are stored internally and accessible to large numbers of employees as struggling to meet those standards.
If the incident did stretch back as far as 2012, the company may also need to do a great deal of investigating into how those passwords may have been misused. Though Facebook stated in its blog post they have "found no evidence to date that anyone internally abused or improperly accessed them," it will be difficult for the company to pinpoint whether or how someone with internal access was able to misuse a password once they were outside the company.
— CNBC's Jim Forkin contributed to this report.