Facebook shared the news as an update to a month-old blog post, which could be seen as a suspicious move to attract less attention. But a company spokesperson said Facebook simply learned that more Instagram passwords than originally suspected were exposed. Facebook had estimated it would have to notify tens of thousands of Instagram users, but it has since learned that millions were impacted.

This update comes less than 24 hours after we found out that Facebook also unintentionally saved email contact lists of up to 1.5 million new users. The company previously said it would reach out to the millions of Facebook users whose passwords were stored in plain text. Now, it will have to contact users whose email lists were snagged and millions of Instagram users, as well.

You can read Facebook’s statement below:

“This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way. There is no evidence of abuse or misuse of these passwords.”

Facebook will alert all users whose passwords were stored in plain text, including hundreds of millions of users of Facebook Lite, a version of the social network designed for slow internet connections and low-specification phones, which is typically used in developing nations. It will also notify tens of millions of other Facebook users and tens of thousands of Instagrammers.

While the information could have proven disastrous if it had fallen into the wrong hands, Facebook says the login credentials were “never visible to anyone outside of Facebook.” Pedro Canahuati, Facebook’s vice-president of engineering, security and privacy, wrote that “we have found no evidence to date that anyone internally abused or improperly accessed” the passwords.

Facebook didn’t reveal the full extent of the issue, though an anonymous senior Facebook employee told Krebs on Security up to 600 million passwords were stored in plain text, and suggested some credentials have been stored in this way since 2012. More than 20,000 employees were able to search the data, the employee said — Facebook employed 35,587 people as of the end of 2018. Access logs reportedly show around 2,000 engineers or developers “made approximately nine million internal queries for data elements that contained plain text user passwords.”

Facebook, of course, has had to deal with myriad privacy scandals in the recent past. Federal prosecutors are conducting a criminal investigation into the firm’s data-sharing practices with other businesses. The company was also found to be using phone numbers users provided for security (including two-factor authentication) for other purposes, including ad tracking and making them searchable. Meanwhile, CEO Mark Zuckerberg this month revealed plans to transform Facebook into a privacy-focused network.