Facebook's security and privacy practices have come in to question again after it was revealed that the social network has been keeping hundreds of millions of user passwords in plaintext form on its internal systems, which could have allowed anyone with access to compromise accounts.
Between 200 million and 600 million accounts are thought to have been affected by the issue, according to security researcher Brian Krebs, who first broke the news, with some of these accounts going back as far as 2012.
It means that anyone with access to Facebook's internal network, which could be as many as 20,000 employees, would have been able to search the database and discover passwords due to a lack of encryption.
A source at the company told Mr Krebs that access logs revealed around nine million data queries had been made for information containing these plaintext passwords, by around 2,000 engineers and developers.
The security flaw could also mean that if Facebook's internal systems were compromised, a hacker could easily extract the unprotected passwords, though there is no indication at this stage that any of this information has been misused.
In a statement, Facebook acknowledged the issue and said it has taken steps to fix the problem, and will be notifying every user whose passwords were stored in this way.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," the company continued.
Best practice guidelines for stored user passwords require them to be encrypted using 'hashing' techniques, which ensure that details are replaced on a firm's system with a random collection of characters that cannot be decrypted. Facebook added that these standards are in use on the company's systems, but some passwords were "inadvertently" stored in plaintext instead.
The latest security issue comes after a difficult few months for Facebook, which has already had to deal with questions about how it uses the vast amount of data it collects about its users, and had around 50 million accounts potentially compromised in a data breach.