Facebook admitted in March that it had stored passwords in plain text, making it possible for its thousands of employees to search them. It said that no outsiders could access the passwords as they were stored on internal company servers.

Facebook said in a blog post Thursday that it now estimates that “millions” of Instagram users were affected by the lapse, instead of the “tens of thousands” it had originally reported.