Meta fined $101 million for storing hundreds of millions of passwords in plaintext
The social media giant Meta has been fined €91 million ($101 million) for accidentally storing hundreds of millions of its users’ passwords in plaintext instead of in an encrypted format on its internal systems.
Meta first announced discovering the engineering mistake back in 2019. At the time, the company stated it would be notifying everyone whose passwords were stored without protection although it stressed the passwords were only exposed internally at Meta, and there was no evidence that any of them had been abused.
Following a five year investigation, the Irish Data Protection Commission (DPC) — which is the EU’s lead privacy authority on Meta, as the company’s European headquarters are based in Ireland — found the incident was a breach of Meta’s legal duties under the EU’s General Data Protection Regulations (GDPR).
In a statement on Friday, the DPC said it was issuing a reprimand and fine to Meta for several breaches of the GDPR, including failing to notify the DPC of the personal data breaches and also failing to implement appropriate technical measures to protect users’ passwords.
To log in to an online service, that service needs to know what a user’s password is; it is a secret shared by both the user and the service. But to prevent those passwords being stolen — either by malicious insiders or by hackers who have broken into their systems — passwords are typically stored in a protected format by the online service.
As the company explained, Facebook normally protects people’s passwords using industry standard cryptographic techniques — including hashing and salting. It is unclear why this was not the case for a large number of Facebook and Instagram users.
The DPC said it had shared its decision with other EU authorities and none of them objected to the fine, although the full decision explaining the fine was not published alongside the regulator’s announcement on Friday.
Its deputy commissioner, Graham Doyle, said: “is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
Meta did not immediately respond to a request for comment.
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.