Facebook Parent Fined £75m Over Password Storage

The Irish data protection commissioner has issued a 91 million euro (£75m) fine to Facebook parent Meta over a failure to securely store hundreds of millions of passwords.

The DPC, which is Meta’s lead privacy regulator in the EU, began an investigation in 2019 after the company notified it that it had inadvertently stored the passwords without encryption, with some dating back to 2012.

The company was criticised at the time for a failure to take basic security precautions.

The DPC submitted a draft decision to other EU data regulators in June of this year and received no objections.

‘Risks of abuse’

Meta has been fined for serveral other breaches of the EU’s General Data Protection Regulation (GDPR), which is also in force in the UK.

“It is widely accepted that user passwords should not be stored in ‘plaintext’ considering the risks of abuse that arise from persons accessing such data,” said DPC deputy commissioner Graham Doyle.

“It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts.”

The DPC notified Meta of the fine and accompanying reprimand on 26 September.

“We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” Meta said in a statement.

The company’s other GDPR fines include a 405m euro penalty for Instagram over mishandling teen data, 265m euros over the publication of user data on a hacking forum in 2021 and 1.2bn euros for mishandling data when conducting transatlantic data transfers.

‘Give me a break’

In 2019 Meta admitted it had stored hundreds of millions of passwords without encryption on internal servers accessible by 20,000 staff members.

The company said it had discovered the error as part of a routine security review in January of that year.

The majority of the affected passwords were users of Facebook Lite, a cut-down version of the social media app for regions with poor or slow connectivity.

At the time Meta estimated hundreds of millions of Facebook Lite passwords were affected, along with tens of millions of other Facebook users and tens of thousands of Instagram users, with the problems dating back in some cases to 2012.

“Passwords in a flat file for anyone to read? Are you kidding me? Give me a break!” commented Sam Curry, chief security officer at Cybereason, at the time.