Facebook has admitted millions of Instagram passwords were stored in readable format, meaning employees had unfiltered access to accounts.
The mistake was discovered in January, and was estimated to have affected "tens of thousands of people".
However, this was updated on Thursday to confirm millions have been affected.
"We have found no evidence to date that anyone internally abused or improperly accessed [the accounts]," wrote Facebook's vice president of engineering, security and privacy Pedro Canahuati in a statement.
- Facebook has 'too much power over speech' - Mark Zuckerberg
- Facebook bosses are 'morally bankrupt pathological liars' - Privacy Commissioner John Edwards
He says Facebook will be notifying any user who was affected by the privacy breach.
Also affected are tens of millions of Facebook users, and hundreds of millions of Facebook Lite users (a version of Facebook used by people in regions with lower connectivity).
"There is nothing more important to us than protecting people's information," said Canahuati.
"We will continue making improvements as part of our ongoing security efforts at Facebook."