The mistake, which led to user passwords being kept in Facebook's internal servers in an insecure way, affects "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users", according to the social networking site.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them", vice president of engineering, security, and privacy Pedro Canahuati said in a blog post.
But the incident reveals a huge oversight for the company amid a slew of bruises and stumbles in the last couple of years.
Facebook released a public statement in tandem with Krebs' report and confirmed it uncovered the plain text passwords during a routine security review in January.
'We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users'.
There's probably no need to change your Facebook or Instagram passwords, as long as the passwords are unique and strong.
The US's $500 Million Exascale Supercomputer to Arrive in 2021
Aurora will be able to handle both traditional high-performance computing and artificial intelligence operations. Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries .
He added that Facebook typically "masks people's passwords when they create an account so that no one at the company can see them". What's of most concern is around 2,000 Facebook engineers are thought to have queried the password data over nine million times.
Canahuati said Facebook has now fixed this particular issue, as well as some problems the company has discovered in other security features, such as the code by which users log in through other apps.
If Facebook can't even take password security seriously, how can it ever hope to convince users it can understand the mere meaning of the word "privacy". Most affected were uses of Facebook Lite, the company said, a stripped-down version of the social network that's largely in use in countries with lower internet connection speeds.
In September, Facebook acknowledged that hackers had stolen information that may have allowed them to access 50 million user accounts.
At this stage in the investigation, the company is not requiring any users reset their passwords.
"We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way".