Meta has been slapped with a €91 million ($101 million) fine by the Irish Data Protection Commission (DPC) for storing hundreds of millions of user passwords in plaintext on its internal systems.
This security lapse, first discovered and announced by Meta in 2019, has resulted in severe consequences after a five-year investigation by the EU’s lead privacy authority.
The issue came to light when Meta, then Facebook, revealed that it had accidentally stored user passwords without proper encryption.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
While the company stressed that the passwords were only exposed internally and showed no signs of abuse, the DPC found this practice to be in violation of the EU’s General Data Protection Regulations (GDPR).
DPC’s Findings and Actions
The DPC’s investigation uncovered several GDPR breaches by Meta, including:
- Failure to notify the DPC of personal data breaches
- Inadequate implementation of technical measures to protect user passwords
The DPC issued Meta with both a substantial fine and a reprimand as a consequence.
Typically, online services protect user passwords using industry-standard cryptographic techniques such as hashing and salting. Meta normally adheres to these practices, making it unclear why a large number of Facebook and Instagram user passwords were left unprotected.
Deputy Commissioner Graham Doyle emphasized the sensitivity of the issue, stating, “It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts”.
The storage of passwords in plaintext poses significant risks, potentially allowing unauthorized access to user accounts if the data were to be compromised.
Meta acknowledged the error, stating that a “subset” of Facebook users’ passwords were “temporarily logged in a readable format.” The company claims to have taken immediate action to rectify the issue and proactively reported it to the Irish Data Protection Commission.
This fine is the latest in a series of penalties imposed on Meta by EU regulators. Previous fines include:
- €405 million for Instagram’s mishandling of teen data
- €5.5 million penalty for WhatsApp
- €1.2 billion fine for transatlantic data transfers
These repeated infractions highlight the ongoing challenges faced by Meta in complying with EU data protection regulations and maintaining user privacy and security.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free