For keeping hundreds of millions of passwords in plaintext, Meta was fined $101 million.

Meta, the prominent social media platform, has been penalized €91 million ($101 million) due to the inadvertent storage of hundreds of millions of user passwords in plaintext rather than in a secure, encrypted format within its internal systems.

This significant oversight was first acknowledged by Meta in 2019 when the company revealed that it would inform all affected users about the unprotected storage of their passwords. However, Meta stressed that the passwords were only available internally and there was no indication that they had been misused.

After a comprehensive five-year investigation, the Irish Data Protection Commission (DPC), which serves as the primary privacy authority for Meta in the European Union due to the company’s headquarters being located in Ireland, determined that this incident constituted a violation of Meta’s obligations under the EU’s General Data Protection Regulations (GDPR). The DPC’s findings highlighted that the company had not adhered to its legal responsibilities regarding the safeguarding of personal data.

In a statement released on Friday, the DPC announced its decision to impose a reprimand and financial penalty on Meta for multiple infringements of the GDPR. These violations included the failure to promptly notify the DPC about personal data breaches and the lack of adequate technical measures to ensure the protection of users’ passwords. Typically, online services must securely store passwords to prevent unauthorized access, safeguarding them from potential threats posed by malicious insiders or external hackers.

The company has clarified that Facebook typically safeguards user passwords through established cryptographic methods, which include techniques such as hashing and salting. However, it remains uncertain why a significant number of users on both Facebook and Instagram were not afforded this level of protection.

The Data Protection Commission (DPC) has indicated that it communicated its decision regarding the fine to other authorities within the European Union, and none raised any objections. Nevertheless, the comprehensive decision detailing the rationale behind the fine was not released concurrently with the regulator’s announcement on Friday.

Graham Doyle, the deputy commissioner, emphasized that it is generally recognized that user passwords should never be stored in plaintext due to the potential risks associated with unauthorized access to such information. He further noted that the passwords in question are particularly sensitive, as they grant access to users’ social media accounts, thereby heightening the importance of their protection.

Meta has yet to respond to inquiries regarding this matter.

Thank you for reading this post, don't forget to follow my whatsapp channel