Facebook stored up to 600 million user account passwords without encryption and viewable as plain text to tens of thousands of company employees, according to a report Thursday by cybersecurity journalist Brian Krebs.
Facebook confirmed the report in a blog post. Facebook shares were down less than 1 percent Thursday. The Irish Data Protection Commission, which administers the European Union's General Data Protection Regulation, or GDPR, also said Thursday that Facebook had reached out over the issue: "We are currently seeking further information," the commission said in a statement.
The 600 million users represents a significant portion of Facebook's user base of 2.7 billion people. The company said Thursday it planned to start notifying those affected so they could change their passwords.
"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems," Facebook said in a statement. "This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."
Facebook's blog post did not say how many users were affected.
The incidents date back to as early as 2012, according to the report. A Facebook software engineer named Scott Renfro was quoted by Krebs as saying the company hasn't found any misuse of the data in question and that "there was no actual risk that's come from this."
Facebook, however, has been under intense scrutiny due to several years of privacy and security scandals that have earned the company criticism from customers and inquiries and fines from several regulatory agencies, particularly in the European Union.
But Facebook's scandals haven't significantly dented the company's count of active daily users, which rose last quarter despite an extended social media campaign by Facebook critics encouraging privacy-minded customers to delete their accounts.