Meta Slapped With $100M For Exposing Millions of Facebook Passwords
The Data Protection Commission (DPC) of Ireland has imposed a $100 million fine on Meta, the parent company of Facebook, after the company inadvertently stored plaintext passwords of approximately 600 million users.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Irish DPC Deputy Commissioner Graham Doyle said in a statement. “It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
“This Decision of the DPC concerns the GDPR principles of integrity and confidentiality,” the Commission said in a news release.
The DPC’s ruling concludes an inquiry initiated in 2019, following a report by American security researcher Brian Krebbs in March of that year. Meta did notify the Data Protection Commission that it had unintentionally stored user passwords without employing cryptographic protection or encryption, a clear violation of the security standards outlined in the General Data Protection Regulation (GDPR).
However, the regulators highlighted in their decision that Meta didn’t do so “in a timely manner.”
On top of failing to implement the necessary technical and organizational security measures required by GDPR to protect users’ data from unauthorized access, Meta also didn’t properly manage security risks associated with the type of data processed, including how that data was stored on Meta’s database servers, DPC Ireland said.
A Meta spokesperson stated that the company had taken immediate action to address the issue upon discovery.
“As part of a security review in 2019, we found that a subset of FB users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” the statement said.
A DPC investigation into the matter confirmed that the exposed passwords were not made accessible to external parties, but it still left users vulnerable.
“A personal data breach may, if not addressed in an appropriate and timely manner, result in damage such as loss of control over personal data,” DPC said.
React to this headline: