The incident reveals yet another huge and basic oversight at a company that insists it is a responsible guardian for the personal data of its 2.3 billion users worldwide.
The company wants to encourage small groups of people to carry on encrypted conversations that neither Facebook nor any other outsider can read.
The fact that the company couldnt manage to do something as simple as encrypting passwords, however, raises questions about its ability to manage more complex encryption issues such in messaging flawlessly.
But Alex Holden, the founder of Hold Security, said Facebooks explanation is not an excuse for sloppy security practices that allowed so many passwords to be exposed internally.
He said hes seen a number of instances where much smaller organizations made such information readily available not just to programmers but also to customer support teams.
Hunt and Krebs both likened Facebooks failure to similar stumbles last year on a far smaller scale at Twitter and GitHub; the latter is a site where developers store code and track projects.
Thats good to know, although Facebook engineers apparently added code that defeated the safeguard, said security researcher Rob Graham.