Security incidents often follow a familiar pattern. Companies find out they weren't as secure as they thought, inform their users about the issue and later discover the incident affected more people than originally estimated. Facebook's disclosure of problems with the way it stored passwords followed that same pattern, with the company revealing yesterday that millions of Instagram users were also affected by its security blunder.
Facebook originally said in March that up to 20,000 employees could have accessed the passwords of more than 600 million people. They wouldn't even have to do anything to make the data readable either because it was stored in plain text. The company essentially left keys to the digital lives of half a billion people lying around for any of its employees to use as they saw fit. We're pretty sure that's the opposite of secure.
Then, on April 18 the company updated its March blog post with more information: "Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed."
The company didn't say when it discovered that Instagram users were also affected; it could've been anytime between March 21 and April 18. Nor did Facebook mention the issue on social media, republish the blog post to make it clear that it was updated, or inform journalists of the change. It wouldn't be too far-fetched to think Facebook was hoping the media would be focusing its attention elsewhere so this disclosure would go unnoticed.
This disclosure perfectly matches the process we outlined above. At this point it's probably safe to assume a few things whenever companies disclose security incidents. It's seems like they're always worse than they expect, they're always going to downplay the severity of an incident and there's always the chance that further disclosures go unnoticed because they were made when people shifted their attention to whatever's grabbing headlines.