Meta has been hit with a €91 million ($101 million) fine by the Irish Data Protection Commission (DPC) for storing millions of user passwords in plaintext within its internal systems.
This security oversight, initially discovered and disclosed by Meta in 2019, led to significant repercussions following a five-year investigation by the EU’s primary privacy regulator.
Meta, then known as Facebook, admitted to accidentally storing user passwords without proper encryption, emphasizing that the exposure was internal and there was no evidence of misuse. However, the DPC determined that the practice violated the EU’s General Data Protection Regulation (GDPR).
DPC’s Conclusions and Enforcement
The DPC’s investigation revealed multiple breaches of GDPR by Meta, which included:
- Failing to inform the DPC of personal data breaches
- Inadequate technical measures to safeguard user passwords
As a result, the DPC issued a significant fine and a formal reprimand to Meta.
Typically, online services protect user passwords using standard cryptographic practices such as hashing and salting. While Meta generally follows these protocols, it remains unclear why numerous Facebook and Instagram user passwords were left unencrypted.
Deputy Commissioner Graham Doyle highlighted the gravity of the situation, stating, “It must be borne in mind that the passwords involved are particularly sensitive, as they would enable access to users’ social media accounts.”
Storing passwords in plaintext presents serious risks, potentially granting unauthorized access to user accounts if the data were compromised.
Meta admitted the mistake, noting that a “subset” of Facebook users’ passwords was “temporarily logged in a readable format.” The company asserts that it took swift action to resolve the issue and proactively reported it to the Irish Data Protection Commission.
This fine is part of a broader pattern of penalties levied against Meta by EU regulators, which include:
- €405 million for Instagram’s mishandling of teen data
- €5.5 million for WhatsApp
- €1.2 billion for transatlantic data transfers
These ongoing infractions underscore the persistent difficulties Meta faces in adhering to EU data protection regulations and ensuring user privacy and security.