Up to 400 million Facebook users are at risk of having their passwords accessed.

A new security flaw was revealed by security expert Brian Krebs on his website KrebsOnSecurity, and was confirmed by Facebook shortly after.

The social media giant is alerting hundreds of millions of users that it stored their passwords in a plain text, putting the security of many accounts at risk.

Passwords are usually masked in an unreadable format but the social network has admitted hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users may have been affected by the error.

The company said it has fixed the issue since uncovering it in January but the development will still come as a blow.

“Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees – in some cases going back to 2012,” Krebs said.

“My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords,” he explained.

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” the social media giant said.

The logo of social networking site Facebook

Facebook is already dealing with a deluge of problems, most recently its handling of live streams following the Christchurch mosque attack and its response to removing videos.

An investigation carried out by the social network showed no evidence that anyone outside Facebook got hold of the passwords, nor were they abused by staff internally, the firm wrote in a blog post.

Pedro Canahuati, Facebook's vice-president for engineering, security and privacy, said: "As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.

"We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way."

The announcement is the latest in a string of headaches for Facebook chief executive Mark Zuckerberg in recent years, including rampant misinformation spread on the network, breaches of user data and allegations of political manipulation.

In October, Facebook revealed millions of email addresses, phone numbers and other personal user information were compromised during a security breach, affecting as many as 50 million accounts.

Concerned users are being urged to change their password and consider enabling additional security measures such as a security key or two-factor authentication.