Meta slapped with $102 million fine for storing passwords in plaintext
by Alap Naik Desai · Android HeadlinesMeta is facing a fine of $102 million for storing some users’ passwords in “plaintext”. The social media giant has admitted to poor password management.
Meta faces $102 million fine for poor password management
The Irish Data Protection Commission (DPC) has imposed a $101.5 million (€91 million) fine on Meta. The penalty follows an investigation into a security breach way back in 2019.
Meta had notified the Irish authority that it had stored certain passwords of social media users in ‘plaintext’. Simply put, the tech giant stored the login credentials of a large number of users without any encryption on its internal systems. This is an extremely risky method as it can be easily exploited to compromise account security, Deputy Commissioner at the Irish DPC, Graham Doyle, said in a statement.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
The Irish regulator helping to police European Union data privacy wrapped up its investigation earlier this year. Thereafter it submitted a draft decision to the other EU national supervisory authorities in June 2024.
Facebook employees had easy access to these passwords
The Data Protection Commission has criticized Meta for its abysmal methods of handling user data. The company not only failed to put in place appropriate security measures to protect users’ password data but took way too long to alert the regulator over the issue, the Irish regulator chastised.
Meta hasn’t yet revealed any specific numbers. However, back when the company admitted to this lapse of security, a report indicated the incident could have involved up to 600 million passwords.
Some of the passwords were reportedly stored in plaintext format on the company’s servers since 2012. What’s even more concerning is that close to 20,000 Facebook employees had easy access to these passwords. In other words, internally, these passwords were easily searchable or obtainable. The Irish regulator has clarified that these login credentials weren’t available to anyone outside Facebook.
Meta is unlikely to challenge this fine as it has admitted to the mishandling of passwords. However, the company is facing much larger fines from the EU for allegedly stifling competition and other questionable business practices.