In a blog post, the company's vice-president of Engineering, Security and Privacy, Pedro Canahuati, said it was estimated that hundreds of millions of Facebook Lite users would have to be notified about the snafu, as also tens of millions of other Facebook users and tens of thousands of Instagram users.
Facebook Lite is a version of the social media site used in areas where the connectivity is not so good.
Canahuati said the error had been noticed in January but did not say why an announcement had been delayed for more than two months.
Neither is an excuse, but we've worked (and discovered) incidents involving both scenarios. The latter usually happens with orgs where the UI is complex and depends on a large number of user interactions/relationships (e.g. Facebook). 2/2— Jake Williams (@MalwareJake) March 21, 2019
"This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.
"We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."
He claimed the passwords had never been visible to anyone outside Facebook and there was no evidence to show that anyone had internally abused or improperly used them.
The security review has also thrown up problems with the way access tokens were managed and these were fixed as well, Canahuati said.