Facebook stored hundreds of millions of user passwords in plain text files, the social network has admitted.
The error was revealed in a blog post that detailed how passwords had been stored in a readable format within its internal data storage systems.
Pedro Canahuati, Facebook's vice president of engineering, security and privacy, said the passwords were visible to Facebook employees, potentially meaning thousands of people had access to people's private accounts.
He claimed there was no evidence anyone abused or improperly accessed them and that Facebook is in the process of notifying affected users.
"We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users," Mr Canahuati wrote.
"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook."
A spokesperson for Facebook was not immediately available for comment.
Security experts were quick to criticise Facebook, in what is just the latest in a series of high-profile incidents involving its users' data.
"Passwords in a flat file for anyone to read?! Are you kidding me? Give me a break! Everyone, including Facebook, have tech debt and security debt that piles up. But that's not an excuse any longer," Sam Curry, chief security officer at security firm Cybereason, told The Independent.
"Facebook is starting to look like critical social infrastructure, where there responsibility is to the public. It's past time to go back and clean the skeletons out of the closets.
"How can we trust this platform to get bigger and get more connected under the hood if they can't do the basis blocking and tackling right? Facebook needs a security strategy for the 21st century not the 20th century. "
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies