Facebook Parent Fined £75m Over Password Storage

The Irish data protection commissioner has issued a 91 million euro (£75m) fine to Facebook parent Meta over a failure to securely store hundreds of millions of passwords.

The DPC, which is Meta’s lead privacy regulator in the EU, began an investigation in 2019 after the company notified it that it had inadvertently stored the passwords without encryption, with some dating back to 2012.

The company was criticised at the time for a failure to take basic security precautions.

The DPC submitted a draft decision to other EU data regulators in June of this year and received no objections.

Image credit: Pexels

‘Risks of abuse’

Meta has been fined for serveral other breaches of the EU’s General Data Protection Regulation (GDPR), which is also in force in the UK.

“It is widely accepted that user passwords should not be stored in ‘plaintext’ considering the risks of abuse that arise from persons accessing such data,” said DPC deputy commissioner Graham Doyle.

“It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts.”

The DPC notified Meta of the fine and accompanying reprimand on 26 September.

“We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” Meta said in a statement.

The company’s other GDPR fines include a 405m euro penalty for Instagram over mishandling teen data, 265m euros over the publication of user data on a hacking forum in 2021 and 1.2bn euros for mishandling data when conducting transatlantic data transfers.

‘Give me a break’

In 2019 Meta admitted it had stored hundreds of millions of passwords without encryption on internal servers accessible by 20,000 staff members.

The company said it had discovered the error as part of a routine security review in January of that year.

The majority of the affected passwords were users of Facebook Lite, a cut-down version of the social media app for regions with poor or slow connectivity.

At the time Meta estimated hundreds of millions of Facebook Lite passwords were affected, along with tens of millions of other Facebook users and tens of thousands of Instagram users, with the problems dating back in some cases to 2012.

“Passwords in a flat file for anyone to read? Are you kidding me? Give me a break!” commented Sam Curry, chief security officer at Cybereason, at the time.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

2 days ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

2 days ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

2 days ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

3 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

3 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

3 days ago