Facebook has messed up again. From the Cambridge Analytica scandal to sharing your phone number, the massive social network has a history of privacy flubs, and now you might see a message in your inbox about its latest goof.

On Thursday, security expert Brian Krebs reported that Facebook has stored hundreds of millions of user passwords in plain text on internal company servers searchable by thousands of company employees.

Krebs reports that some passwords may have been vulnerable going as far back as 2012.

Storing passwords in an unencrypted and accessible manner is a most basic security no-no.

"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems," wrote Pedro Canahuati, Facebook vice president for engineering, security, and privacyin a blog post that went up shortly after Krebs's story. "We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."

Canahuati goes on to cite some very basic precautions that all Facebook users will probably want to heed at this point:

"You can change your password in your settings on Facebook and Instagram. Avoid reusing passwords across different services."


"Pick strong and complex passwords for all your accounts. Password manager apps can help."

While the odds a malicious Facebook employee got hold of your password to sell it or see where else you're using the same key might be low, any exposure is too much exposure in today's world.

So it's a good idea to take the actions Facebook suggests to protect you from, well...Facebook.

Canahuati also suggests Facebook users "Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third-party authentication app. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you."

Not surprisingly, there are now ways that you can add this extra layer of protection without handing over your phone number, which is good since we know Facebook doesn't necessarily hold that data under the tightest lock and key, either.

Maybe it's just time to rethink this whole social media thing, eh?