Meta fined $100M for storing user passwords in plain text
What's the story
The Irish Data Protection Commission (DPC) has imposed a fine of $101.5 million on Meta. This penalty comes after an investigation into a 2019 security breach where the tech giant inadvertently stored users' passwords in plain text on its servers. The company initially disclosed this issue in January of that year but later revealed that millions of Instagram passwords were also affected by the same problem.
Breach impact
Security breach impacted up to 600 million passwords
While Meta did not provide specific figures on the number of affected accounts, a senior employee informed Krebs on Security that the incident involved up to 600 million passwords. Some of these passwords have been stored in an easily readable format on the company's servers since 2012. The DPC confirmed that these passwords were searchable by over 20,000 Facebook employees but clarified that they were not made available to external parties.
GDPR violations
DPC: Meta violated several GDPR rules
The DPC found that Meta had violated several General Data Protection Regulation (GDPR) rules in relation to the breach. The commission determined Meta failed to "notify the DPC of a personal data breach concerning storage of user passwords in plain text" Additionally, it was found that the company didn't "document personal data breaches concerning the storage of user passwords in plain text." Meta also violated GDPR by not using appropriate technical measures to protect users' passwords from unauthorized processing.
Security emphasis
DPC Deputy Commissioner emphasizes importance of password security
Graham Doyle, the Deputy Commissioner of the DPC, emphasized the importance of password security in a statement. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," he said. He further highlighted that "the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."