While everyone was focused on the release of the Mueller report Thursday, Facebook quietly notified the public that the passwords of "millions of Instagram users" were stored in an unencrypted format on an internal server, and searchable by any employee.
The company had initially said it was "tens of thousands" of Instagram users. That said, the company says that an internal investigation determined "that these stored passwords were not internally abused or improperly accessed."
From FB spox: "“This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way. There is no evidence of abuse or misuse of these passwords."— Kurt Wagner (@KurtWagner8) April 18, 2019
Some have noted that this fits Facebook's MO; report the problem, let time pass, then update that the problem was much worse than initially reported.
If memory serves, this is a common theme. Facebook reveals a number of victims, and after all the reporting is done, they reveal a much larger number of victims.— Mike Elgan (@MikeElgan) April 18, 2019
::Facebook punches me in the stomach::— rat king (@MikeIsaac) April 18, 2019
"Keeping Your Midsection Safe"
In March, security expert Brian Krebs of KrebsonSecurity noted:
The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.
My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords. -KrebsonSecurity
In short, if you believe Facebook that the passwords were not improperly accessed, rest well. If you don't believe them, and you use your Instagram password for other things, perhaps it's time to think of a new one.