Page Loader
Summarize
Meta fined $100M for storing user passwords in plain text
The fine follows an investigation into a security breach from 2019

Meta fined $100M for storing user passwords in plain text

Sep 27, 2024
05:52 pm

What's the story

The Irish Data Protection Commission (DPC) has imposed a fine of $101.5 million on Meta. This penalty comes after an investigation into a 2019 security breach where the tech giant inadvertently stored users' passwords in plain text on its servers. The company initially disclosed this issue in January of that year but later revealed that millions of Instagram passwords were also affected by the same problem.

Breach impact

Security breach impacted up to 600 million passwords

While Meta did not provide specific figures on the number of affected accounts, a senior employee informed Krebs on Security that the incident involved up to 600 million passwords. Some of these passwords have been stored in an easily readable format on the company's servers since 2012. The DPC confirmed that these passwords were searchable by over 20,000 Facebook employees but clarified that they were not made available to external parties.

GDPR violations

DPC: Meta violated several GDPR rules

The DPC found that Meta had violated several General Data Protection Regulation (GDPR) rules in relation to the breach. The commission determined Meta failed to "notify the DPC of a personal data breach concerning storage of user passwords in plain text" Additionally, it was found that the company didn't "document personal data breaches concerning the storage of user passwords in plain text." Meta also violated GDPR by not using appropriate technical measures to protect users' passwords from unauthorized processing.

Security emphasis

DPC Deputy Commissioner emphasizes importance of password security

Graham Doyle, the Deputy Commissioner of the DPC, emphasized the importance of password security in a statement. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," he said. He further highlighted that "the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."