Facebook has revealed that millions of Instagram users' passwords were stored in plain text on the company's servers, making them potentially accessible to employees.
The social network, which owns Instagram, revealed last month that 600m Facebook users' passwords were not encrypted on its own servers.
At the time it said tens of thousands of Instagram users were affected but yesterday upgraded this to millions of users.
Facebook announced the revelation in an updated blog post on the original security breach, which was announced in March.
The Instagram and Facebook passwords, which should have been kept encrypted, were readable to the company’s employees.
"This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way," a spokesperson said.
"There is no evidence of abuse or misuse of these passwords," they added, saying Facebook will notify the users affected.
The data breach is the latest in a string of security issues at the social media superpower.
Earlier this month, it was revealed that millions of Facebook user records were exposed by two apps which the company allowed access to its users' data. The blunder highlighted the company's struggle to police its rule that developers must store shared user information in secure manner.