Facebook has no plans to reset users' passwords, despite hundreds of millions of them being exposed in its latest breach.
Up to 600 million Facebook and Instagram users' passwords were being stored as plaintext - meaning they were unencrypted, and available to anyone with access to see - the company discovered in January.
"This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable," Facebook vice-president of engineering, security and privacy Pedro Canahuati said in a statement.
"We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."
- Facebook has breached Privacy Act - commissioner
- Why Andrew Little is keeping a close eye on Facebook
Canahuati says the unencrypted passwords weren't visible to anyone outside of Facebook - which has about 35,500 employees - and the company has found "no evidence to date that anyone internally abused or improperly accessed them".
"We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users."
Facebook Lite is an Android app popular in countries with low-speed internet connections and older phones.
It's only revealed the security problem now because it took two months to fix, the company told Wired - the exposed passwords weren't all kept in the same place, and there was more than one bug to squash.
The September breach saw nearly 50 million accounts compromised. Facebook responded by logging members out of every device, requiring them to log back in to resume using the service.
Facebook won't be resetting any passwords or logging people out this time, as it says no one's accounts were actually compromised.
Facebook says if you'd like to change your password anyway, make sure it's different to any you use for another site - if a hacker accesses one site, it's more difficult for them to breach others if the passwords are different.