Facebook has admitted storing hundreds of millions of passwords in an unencrypted format.
Typically, passwords are stored in an encrypted format - meaning the passwords are 'masked' so that nobody, even Facebook staff, can read them.
The process of 'hashing' and 'salting' passwords means they can be kept and validated without being stored in plain text format.
However, the social network says a security review in January discovered user passwords were in fact being stored in a readable format in their internal data storage systems.
Facebook says it has fixed the issue and will be now notify everyone impacted.
In a statement, the company said: "To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.
"We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity."
The company added it's been looking at ways of storing other categories of information, and has also fixed problems there.
"There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook."
Here in Ireland, the Data Protection Commission (DPC) says Facebook has contacted them about the issue.
Head of Communications with the DPC, Graham Doyle, said they are currently seeking further information about the matter
The revelations represent the latest privacy controversy for the social networking giant.
Facebook spent much of 2018 attempting to address scandals such as the Cambridge Analytica scandal and allegations that they'd had 'special data arrangements' with dozens of large companies.