For years, Facebook has stored hundreds of millions of user passwords in plain text on internal company servers that were accessible to more than 20,000 employees, according to a blockbuster Thursday report from security reporter Brian Krebs. In some cases, the passwords have been available since 2012, according to the report. A senior Facebook employee told Krebs that between 200 and 600 million passwords were stored without encryption, and that the company is working to determine exactly how many passwords were stored in that fashion. The source added that about 2,000 of the 20,000 employees with access to the server made approximately 9 million queries that included the unencrypted password data.

The company acknowledged in a Thursday statement that “some user passwords were being stored in a readable format within our internal data storage systems,” and said that it expected to notify hundreds of millions of Facebook and Facebook Lite (a low connectivity option) users. The company emphasized that “these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”