Facebook is taking heat for releasing news of a potential security breach involving millions of Instagram users at around the same time the report of special counsel Robert Mueller was released Thursday.
Last month, Facebook revealed that it had stored several thousand passwords for its Instagram unit in plain text, instead of encrypting them.
This made it possible for Facebook employees to search them, Time reported.
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company said then. Facebook Lite is for areas with older phones or slow internet connections.
Facebook said no users experienced security issues.
That blog post by Pedro Canahuati, vice president of Engineering, Security and Privacy, was updated at 10 a.m. Thursday, during the press conference of Attorney General William Barr in the leadup to the release of the Mueller report in Washington, D.C.
“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format,” the update read.
“We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”
Evan Greer, deputy director at Fight for the Future, accused Facebook of trying to make the error public when the media was distracted, The Guardian reported.
“Exactly zero people are surprised that Facebook would try to bury this damning story by releasing their response today,” she said.
“It fits their MO of deflecting, downplaying and apologizing without addressing the fundamental problem: that their current business model is incompatible with user privacy and human rights,” she said.
The post’s timing was much like Facebook “mumbling it under your breath while someone is playing loud music and hoping no one will hear,” Ed Zitron, CEO of EZPR, said.
“The crazy thing is that they think they can still do this … They are acting like they’re still a cute startup, but they’re not,” he said.
When asked about the curious timing, Facebook replied that it had in fact just learned about the wider impact of the password incident.
“We want to be clear that we simply learned there were more passwords stored in this way,” the company said, according to the San Jose Mercury News.
One observer said if Facebook thought it could soft-pedal bad news, it was mistaken.
“That might have worked when we were dealing with print papers and a story might be forgotten,” Brian Baker, founder of Big Sky Crisis Communications, said, according to CNN.
“It doesn’t work like that anymore. People who are paying attention will see the news, and if it is important, they will see it immediately,” he said.
Trying to bury bad news is the opposite of what Facebook should do, Baker said.
“I don’t think that helps its reputation. I think that makes it look more suspicious,” he added.
CORRECTION, April 20, 2019: As originally published, this article stated that the Mueller report was issued at 10:00 a.m. Thursday, the same time Facebook’s announcement was made. The report was released at 11:00 a.m. on Thursday, so we have corrected that wording in the article and apologize for any confusion we may have caused.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.