Level 36
As part of a seemingly never-ending stream of security blunders, Facebook disclosed today that the passwords of hundreds of millions of Facebook and Instagram users were stored in plain text for years on internal data storage systems.

According to Pedro Canahuati, VP Engineering, Security and Privacy:

To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.

The issue was discovered by Facebook during a routine security review from January 2019, when they discovered that "some user passwords were being stored in a readable format within our internal data storage systems."