Facebook has said the passwords of millions of Instagram users were stored in an unencrypted format.
The revelation was made in an update to a blog post from last month.
It was previously revealed that hundreds of millions of Facebook passwords were stored in plain text.
Typically, passwords are stored in an encrypted format - meaning the passwords are 'masked' so that nobody, even Facebook staff, can read them.
The process of 'hashing' and 'salting' passwords means they can be kept and validated without being stored in plain text format.
However, a security review earlier this year found that the passwords were being stored in a readable format in Facebook's internal data storage systems.
Facebook insisted there was no evidence the passwords had been "internally abused or improperly accessed".
The initial numbers included 'tens of thousands of Instagram users', alongside hundreds of millions of Facebook and Facebook Lite users.
However, the social network has now acknowledged that initial number for Instagram passwords was too low.
In today's update, Facebook said: "Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users.
"We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed."
The Data Protection Commission (DPC) in Ireland has previously confirmed Facebook has contacted them about the password issue.