SAN FRANCISCO (AP) — Facebook left millions of user passwords readable by its employees for years, the company acknowledged Thursday after a security researcher exposed the lapse .

By storing passwords in readable plain text, Facebook violated fundamental computer-security practices. Those call for organizations and websites to save passwords in a scrambled form that makes it almost impossible to recover the original text.

"There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users' passwords in plain text," said cybersecurity expert...