The admission arrived in a quiet update to a previous blog post – at the exact time US attorney general William Barr was giving a press conference on the release of the Mueller report.
In the update, Facebook revealed it had found a privacy bug that meant millions of passwords would have been able to be read without the protection of encryption.
The change was posted at 10am eastern time, just as Mr Barr’s press conference was finishing. The event kicked off a day of intense interest in the findings of the Mueller report into Donald Trump’s links to Russia, which was released shortly after.
The timing meant Facebook’s update was less scrutinised than it might otherwise have been.
Facebook chose not to write a new blog post about the findings, instead disclosing the update by tweaking a post originally published a month ago.
It had already disclosed that some passwords had been made available in plain text, allowing employees to search through them. But at the time it said only that tens of thousands of people had been affected.
It will inform the millions of users that were caught up in the attack, it said. Facebook claimed its investigation “determined that these stored passwords were not internally abused or improperly accessed”.
In March, when the privacy failure was first disclosed, it said the issue had affected “hundreds of millions” of Facebook Lite users and millions of Facebook users. Facebook Lite is designed for people with older phones or slow internet connections.