Facebook has released a statement confirming that 600 million Facebook users’ passwords were stored on the platform’s internal servers in plain text. The unsecured passwords were discovered amid a “routine security review in January,” after which Facebook says it fixed the improper storage issue. The process is called “hashing.”

The primary security outage was first reported by security journalist, Brian Krebs. He maintains that some Facebook passwords were available for search internally as far back as 2012. The company’s internal investigation claimed to find no evidence of password-related impropriety. “These passwords were never visible to anyone outside of Facebook,” the statement released said. “We have found no proof or evidence to date that anyone internally abused or improperly accessed them.”

Facebook said they estimate they will have to notify hundreds of millions of Facebook users, tens of millions of Facebook Lite users and tens of thousands of Instagram users.

The 600 million users are a significant portion of Facebook’s user base of 2.7 billion people. Facebook says “they started to notify those affected so they could change their passwords.”

When asked how long the company’s systems had been logging passwords, a Facebook spokesperson said they “won’t be sharing additional details at this time”.

The company has been under intense scrutiny due to data leaks and security scandals that have earned the company criticism from customers and inquiries and fines from several regulatory agencies, particularly in the EU.