In March 2019, security journalist Brian Krebs reported that Facebook had been storing hundreds of millions of user passwords in plaintext in internal log files since as early as 2012. The logs were stored on internal Facebook servers and were accessible to approximately 20,000 Facebook employees. Facebook confirmed the report and stated it was in the process of notifying hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users whose passwords were stored in a readable format. Facebook’s total affected count reached approximately 600 million users. Facebook stated it had found no evidence that any employee had abused access to these passwords. The error stemmed from Facebook’s internal data processing pipelines logging authentication tokens in plaintext — a systemic design failure rather than an external attack. The disclosure was made after a security engineer at Facebook noticed the issue during a routine security review in January 2019. The Irish Data Protection Commission (Facebook’s lead EU data regulator under GDPR) opened a statutory inquiry. The FTC was also notified. Despite the severity of the plaintext storage, Facebook indicated no customer passwords were exposed to external parties. The incident added to a sequence of major Facebook privacy controversies in 2018-2019 following Cambridge Analytica, and contributed to the eventual $5 billion FTC settlement.