Facebook’s security woes seem to be in a perpetual grind. In a report, investigative cybersecurity journalist Brian Krebs through is KrebsOnSecurity learned that the social network has stored user account passwords in plain text and its employees have access to. However, Facebook said that none of the employees “abused access to this data.”

KrebsOnSecurity reported that the number of users whose passwords may have been stored range between 200 million and 600 million “searchable” by 20,000 Facebook employees and where 2,000 engineers or developers “made approximately nine million internatl queries.”

In its exclusive report, KrebsOnSecurity said these unencrypted passwords in plain text format are used by employees to build applications. It quoted a “senior Facebook employee” who is familiar with the investigation.

KrebsOnSecurity quoted a Facebook official saying that the investigating team hasn’t found any employee who intentionally accessed the passwords and used for “malicious” purposes.

In connection with this, security solutions company Sophos advised Facebook users to change their passwords even if the social media network said that there is no need to.

“It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this,” said Paul Ducklin, senior technologist, Sophos. “But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before), then you can expect them to be abused. Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.”

He also recommends using two-factor authentication (2FA) because it would mean that a password alone is not enough for cybercriminals to raid the account.

Facebook has been under fire for a series of data breaches last year and its woes continue this year.