Meta Fined $102 Million for Storing Users’ Passwords in Plain Text

Meta was fined more than $100 million for a security breach that saw the company store some users’ passwords in plain text.

On Friday, the Irish Data Protection Commission — which is the lead privacy regulator in the European Union — fined social media giant Meta with a $102 million (91 million euros) penalty for inadvertently storing some users’ passwords without protection or encryption.

The Irish Data Protection Commission says it slapped the parent company of Facebook and Instagram with the fine following a five-year investigation.

The watchdog started investigating Meta in 2019 after it was notified by the social media company that some passwords had been inadvertently stored on its internal system in plain text, which means they weren’t encrypted and it was possible for employees to search for them.

“It is widely accepted that user passwords should not be stored in ‘plaintext’ considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, the deputy commissioner of the Irish Data Protection Commission, says in a statement. “It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts.”

Meta publicly acknowledged the incident at the time. However, while Meta did not disclose the exact number of affected accounts, a senior employee informed Krebs on Security in 2019 that up to 600 million passwords were involved.

Some of these passwords had been stored in an easily readable format on the company’s servers since 2012. They were also reportedly accessible to over 20,000 Facebook employees.

However, a Meta spokesperson said the company took immediate action to fix the error after identifying it during a security review in 2019, and that there is no evidence the passwords were abused or accessed improperly.

The Irish Data Protection Commission, which is based in Dublin, Ireland is the lead EU regulator for most of the top U.S. internet firms. The $102 million penalty is the latest in a series of hefty fines that the regulator has handed Meta.

Last year, it hit Meta with a record-setting $1.3 billion fine for mishandling users’ data. Meanwhile, the Irish privacy regulator fined Instagram’s parent company $402 million for letting teenagers set up accounts that publicly displayed their phone numbers and email addresses.

 
Image credits: Header photo licensed via Depositphotos.